Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA active/standby configuration

Hi Guys,

I currently have a LAN-based failover setup between two 5510s. The failover link is a crossover cable. In the current setup, if I unplug the crossover cable both units become active. From what I understood from Cisco documentation, each unit should mark the failover interface as down and there shouldn't be any failover. That's exactly how I want this setup to work.

1) Can someone please help me clarify/fix this?

2) Will a second failover link fix my problem?

3) How can I configure a second failover link?

Thank you for your time!



Sent from Cisco Technical Support iPhone App

Cisco Employee

ASA active/standby configuration

If you unplug the failover cable, both units will definitely become active because they can't communicate with each other, hence both resume the active role.

It is recommended to connect the failover link to switch instead of using crossover cable because it is more difficult to troubleshoot if you are using crossover cable when it fails.

You can configure redundant interface to have a standby physical link for your failover link.

Here is the configuration guide for your reference:

Community Member

ASA active/standby configuration

Thank you for the reply Jennifer.

I was reffering to the following document:

Failure Event


Active Action

Standby Action


Failover link failed during operation

No failover

Mark failover interface as failed

Mark failover interface as failed

You should restore the failover link as soon as possible because the unit cannot fail over to the standby unit while the failover link is down.

Stateful Failover link failed

No failover

No action

No action

State information becomes out of date, and sessions are terminated if a failover occurs.

I think I should rephrase question 2) If I have two seperate links for Failover and Stateful failover, will that fix my problem?

How can I configure seperate Failover and Stateful failover links? If I understand correctly, they are more than just redundant links.

Sorry I didn't accurately phrase my original post.

Thank you

Cisco Employee

ASA active/standby configuration

No, it won't fix your problem because the 2 are actually passing different types of information.

The failover link is to ensure that all the interfaces are up and there is no failure on either of the ASA.

The stateful failover link is to pass the firewall connection table, xlate table, VPN session, etc.

So if the failover link fails, then you are at the same stage as when you use just 1 interface for both failover and stateful failover link.

If you would like to separate the 2 anyway, you can configure it, just assign different interface and ip address for each failover links:


failover link eth2

failover lan interface eth3

failover interface ip standby

failover interface ip standby

Community Member

Re: ASA active/standby configuration

Thank you Jennifer. I configured a Stateful link using the commands you mentioned.

Thought you might be interested to know that everything is now working as I expected! The ASAs do not failover when I unplug,

1) The Failover link

2) The Stateful failover link

3) Both Failover and Stateful failover links

I had to reconfigure the Active and Standby IPs of the INSIDE and OUTSIDE interfaces. Now I can see the standby IPs assigned on the Standby ASA. Whereas earlier there were no IPs assigned to the INSIDE and OUTSIDE interfaces on the Standby ASA. This might have been a config replication problem over the Failover link.

For anyone interested, the failover scenarios in work absolutely fine in an Active/Standby ASA HA config.


Cisco Employee

Re: ASA active/standby configuration

Great, thanks for the update.

CreatePlease to create content