×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Failover triggers on ASA

Answered Question
Aug 9th, 2012
User Badges:

Hi guys:


I got a question regarding on how the failover activate, as far as I know there are only 3 ways to trigger the failover:


1.- With the command "no failover active" on the Active device.

2.- If one of the interfaces (INSIDE/OUTSIDE) is down.

3.- If the device goes down.


Is there any other reason that could trigger the failover? I mean if I got configured some vlans and they are monitored if some of those vlans goes down the failover will trigger?


The reason I'm asking you this is because I'm doing some test with the failovers, there're 2 switches that are connected to the ASA primary and secondary, If I shutdown the interfaces that are connected to the other switches on the LAN but the interfaces that goes to the firewall (INSIDE/OUTSIDE) are not shutdown the failover are not triggered, I guess is because these interfaces are still up. Is this ok or not?



Regards

Correct Answer by Karsten Iwen about 5 years 1 week ago

The ASA sends kind of hello-packets on all interfaces (you can control which interfaces should be monitored). These hellos need to reach the other unit. If they don't, the ASAs try to find out which unit is better connected to the network. That device gets active.


The inteface status is only one criteria that gets tested.


In the following document are some example when and when not a failover happens:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html#wp1079547


Also relevant to your question is the Health monitoring:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1079010



-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Karsten Iwen Thu, 08/09/2012 - 14:20
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

The ASA sends kind of hello-packets on all interfaces (you can control which interfaces should be monitored). These hellos need to reach the other unit. If they don't, the ASAs try to find out which unit is better connected to the network. That device gets active.


The inteface status is only one criteria that gets tested.


In the following document are some example when and when not a failover happens:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html#wp1079547


Also relevant to your question is the Health monitoring:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1079010



-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Actions

This Discussion