Solved: Failover triggers on ASA

Luis Carranza · ‎08-09-2012

Hi guys:

I got a question regarding on how the failover activate, as far as I know there are only 3 ways to trigger the failover:

1.- With the command "no failover active" on the Active device.

2.- If one of the interfaces (INSIDE/OUTSIDE) is down.

3.- If the device goes down.

Is there any other reason that could trigger the failover? I mean if I got configured some vlans and they are monitored if some of those vlans goes down the failover will trigger?

The reason I'm asking you this is because I'm doing some test with the failovers, there're 2 switches that are connected to the ASA primary and secondary, If I shutdown the interfaces that are connected to the other switches on the LAN but the interfaces that goes to the firewall (INSIDE/OUTSIDE) are not shutdown the failover are not triggered, I guess is because these interfaces are still up. Is this ok or not?

Regards

Karsten Iwen · ‎08-09-2012

The ASA sends kind of hello-packets on all interfaces (you can control which interfaces should be monitored). These hellos need to reach the other unit. If they don't, the ASAs try to find out which unit is better connected to the network. That device gets active.

The inteface status is only one criteria that gets tested.

In the following document are some example when and when not a failover happens:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html#wp1079547

Also relevant to your question is the Health monitoring:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1079010

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Karsten Iwen · ‎08-09-2012