Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Failover triggers on ASA

Hi guys:

I got a question regarding on how the failover activate, as far as I know there are only 3 ways to trigger the failover:

1.- With the command "no failover active" on the Active device.

2.- If one of the interfaces (INSIDE/OUTSIDE) is down.

3.- If the device goes down.

Is there any other reason that could trigger the failover? I mean if I got configured some vlans and they are monitored if some of those vlans goes down the failover will trigger?

The reason I'm asking you this is because I'm doing some test with the failovers, there're 2 switches that are connected to the ASA primary and secondary, If I shutdown the interfaces that are connected to the other switches on the LAN but the interfaces that goes to the firewall (INSIDE/OUTSIDE) are not shutdown the failover are not triggered, I guess is because these interfaces are still up. Is this ok or not?

Regards

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

Failover triggers on ASA

The ASA sends kind of hello-packets on all interfaces (you can control which interfaces should be monitored). These hellos need to reach the other unit. If they don't, the ASAs try to find out which unit is better connected to the network. That device gets active.

The inteface status is only one criteria that gets tested.

In the following document are some example when and when not a failover happens:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html#wp1079547

Also relevant to your question is the Health monitoring:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1079010

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

1 REPLY
VIP Purple

Failover triggers on ASA

The ASA sends kind of hello-packets on all interfaces (you can control which interfaces should be monitored). These hellos need to reach the other unit. If they don't, the ASAs try to find out which unit is better connected to the network. That device gets active.

The inteface status is only one criteria that gets tested.

In the following document are some example when and when not a failover happens:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html#wp1079547

Also relevant to your question is the Health monitoring:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1079010

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

389
Views
0
Helpful
1
Replies
CreatePlease to create content