62-7
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter62 Configuring Active/Standby Failover
Configuring Active/Standby Failover
Firewall Mode Guidelines
Supported in transparent and routed firewall mode.
IPv6 Guidelines
IPv6 failover is supported.
Model Guidelines
Stateful failover is not supported on the ASA 5505.
Additional Guidelines and Limitations
Configuring port security on the switch(es) connected to an ASA failover pair can cause communication
problems when a failover event occurs. This is because if a secure MAC address configured or learned
on one secure port moves to another secure port, a violation is flagged by the switch port security feature.
ASA failover replication fails if you try to make a configuration change in two or more contexts at the
same time. The workaround is to make configuration changes on each unit sequentially.
The following guidelines and limitations apply for Active/Standby failover:
To receive packets from both units in a failover pair, standby IP addresses need to be configured on
all interfaces.
The standby IP addresses are used on the ASA that is currently the standby unit, and they must be
in the same subnet as the active IP address on the corresponding interface on the active unit.
If you change the console terminal pager settings on the active unit in a failover pair, the active
console terminal pager settings change, but the standby unit settings do not. A default configuration
issued on the active unit does affect behavior on the standby unit.
When you enable interface monitoring, you can monitor up to 250 interfaces on a unit.
By default, the ASA does not replicate HTTP session information when Stateful Failover is enabled.
Because HTTP sessions are typically short-lived, and because HTTP clients typically retry failed
connection attempts, not replicating HTTP sessions increases system performance without causing
serious data or connection loss. The failover replication http command enables the stateful
replication of HTTP sessions in a Stateful Failover environment, but it could have a negative impact
upon system performance.
AnyConnect images must be the same on both ASAs in a failover pair. If the failover pair has
mismatched images when a hitless upgrade is performed, then the WebVPN connection terminates
in the final reboot step of the upgrade process, the database shows an orphaned session, and the IP
pool shows that the IP address assigned to the client is “in use.”
Configuring Active/Standby Failover
This section describes how to configure Active/Standby failover. This section includes the following
topics:
Task Flow for Configuring Active/Standby Failover, page62-8
Configuring the Primary Unit, page62-8
Configuring the Secondary Unit, page62-11
Configuring Optional Active/Standby Failover Settings, page62-12