66-7
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter66 Configuring Active/Standby Failover
Configuring Active/Standby Failover
serious data or connection loss. The failover replication http command enables the stateful
replication of HTTP sessions in a Stateful Failover environment, but it could have a negative impact
upon system performance.
AnyConnect images must be the same on both ASAs in a failover pair. If the failover pair has
mismatched images when a hitless upgrade is performed, then the WebVPN connection terminates
in the final reboot step of the upgrade process, the database shows an orphaned session, and the IP
pool shows that the IP address assigned to the client is “in use.”
Configuring Active/Standby Failover
This section describes how to configure Active/Standby failover. This section includes the following
topics:
Configuring Failover, page66-7
Configuring Optional Active/Standby Failover Settings, page66-10

Configuring Failover

Follow these steps to configure Active/Standby failover on both units.
The speed and duplex settings for the failover interface cannot be changed when Failover is enabled. To
change these settings for the failover interface, you must configure them in the Configuration >
Interfaces pane before enabling failover.
Step1 Choose the Configuration > Device Management > Failover > Setup tab.
Step2 Check the Enable Failover check box.
Note Failover is not actually enabled until you apply your changes to the device.
Step3 To encrypt the failover link, do the following:
a. (Optional) Check the Use 32 hexadecimal character key check box to enter a hexadecimal value
for the encryption key in the Shared Key field.
b. Enter the encryption key in the Shared Key field.
If you checked the Use 32 hexadecimal character key check box, then enter a hexadecimal
encryption key. The key must be 32 hexadecimal characters (0-9, a-f).
If the Use 32 hexadecimal character key check box is unchecked, then enter an alphanumeric shared
secret. The shared secret can be from 1 to 63 characters. Valid character are any combination of
numbers, letters, or punctuation. The shared secret is used to generate the encryption key.
Step4 Select the interface to use for the failover link from the Interface list. Failover requires a dedicated
interface, however you can share the interface with Stateful Failover.
Only unconfigured interfaces or subinterfaces are displayed in this list and can be selected as the LAN
Failover interface. Once you specify an interface as the LAN Failover interface, you cannot edit that
interface in the Configuration> Interfaces pane.
Step5 Specify the logical name of the interface used for failover communication in the Logical Name field.