How to tell if Active/active or Active/Standby mode is configured?

Jason Jackal · ‎06-12-2012

Folks:

I am still learning the output of my running config, but how do I tell if my firewall is set to Actve/Active or Active/Standby mode?

In addition, how do I tell if it uses regular or stateful failover mode?

Thank you

Jennifer Halim · ‎06-12-2012

If you don't have multiple context configured, it is definitely just Active/Standby failover. Active/Active failover basically means that if you have multiple context configured, you can have some context active on 1 unit, and some other context active on another unit.

If under the output of "show failover" on the "Stateful Failover Logical Update Statistics" section, you have an interface configured and it's UP, and the stats are showing some numbers, that means stateful failover is configured.

OR, you can also check the configuration, and if you have "failover link" command configured, that means stateful failover is configured.

nkarthikeyan · ‎06-12-2012

Hi Jason,

Active/Active failover is only available to security appliances in multiple context mode. In an Active/Active failover configuration, both security appliances can pass network traffic.

Also you can refer cisco document for better understanding

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml#conf

In your configuration it will be configured like this.... this configuration shows that the unit is primary.... so this one is active and the other unit is standby...also it has two different failover configured.... lan and state which describes the LAN failover and stateful failover...

failover

failover lan unit primary

failover lan interface failover Ethernet0/2

failover key *****

failover replication http

failover link State Ethernet0/3

failover interface ip failover 10.0.0.1 255.255.255.0 standby 10.0.0.2

failover interface ip State 20.0.0.1 255.255.255.0 standby 20.20.20.2

Juraj Papic · ‎06-13-2012

Hello Jason,

This can help

sh failover | i This

Regards

Jason Jackal · ‎06-13-2012

Thank you for the suggestions

Jason Jackal · ‎06-13-2012

I wanted to provide this as well, since I found it and it also helped me answering my question.

This output shows Active/Active failover output.

**Note** it says PIX; however, I beleive it will be the same output for ASA.

PIX1(config-subif)#show failover

Failover On

Cable status: N/A - LAN-based failover enabled

Failover unit Primary

Failover LAN Interface: LANFailover Ethernet3 (up)

Unit Poll frequency 15 seconds, holdtime 45 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 4 of 250 maximum

Version: Ours 7.2(2), Mate 7.2(2)

Group 1 last failover at: 06:12:45 UTC Apr 16 2007

Group 2 last failover at: 06:12:43 UTC Apr 16 2007

This host: Primary

Group 1 State: Active

Active time: 359610 (sec)

Group 2 State: Standby Ready

Active time: 3165 (sec)

context1 Interface inside (192.168.1.1): Normal

context1 Interface outside (172.16.1.1): Normal

context2 Interface inside (192.168.2.2): Normal

context2 Interface outside (172.16.2.2): Normal

Other host: Secondary

Group 1 State: Standby Ready

Active time: 0 (sec)

Group 2 State: Active

Active time: 3900 (sec)

context1 Interface inside (192.168.1.2): Normal

context1 Interface outside (172.16.1.2): Normal

context2 Interface inside (192.168.2.1): Normal

context2 Interface outside (172.16.2.1): Normal

Jennifer Halim · ‎06-13-2012

They are Active/Active failover since you have multiple context configured.