67-10
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter67 Configuring Active/Active Failover
Configuring Active/Active Failover
manager. For both types of failover, you need to provide system-level failover settings in the system
context, and context-level failover settings in the individual security contexts. For more information
about configuring failover in general, see Chapter65, “Information About High Availability.”.
Seethe following topics for more information:
Failover > Setup Tab
Failover> C riteria Tab
Failover> Active/Active Tab
Failover> MAC Addresses Tab
Failover > Setup Tab
Use this tab to enable failover on an ASA in multiple context mode. You also designate the failover link
and the state link, if using Stateful Failover, on this tab.
Note During a successful failover event on the ASA, the interfaces are brought down, roles are switched (IP
addresses and MAC addresses are swapped), and the interfaces are brought up again. However, the
process is transparent to users. The ASA does not send link-down messages or system log messages to
notify users that interfaces were taken down during failover (or link-up messages for interfaces brought
up by the failover process ).
Fields
Enable Failover—Checking this check box enables failover and lets you configure a standby ASA.
Note The speed and duplex settings for an interface cannot be changed when Failover is enabled. To
change these settings for the failover interface, you must configure them in the Configuration >
Interfaces pane before enabling failover.
Use 32 hexadecimal character key—Check this check box to enter a hexadecimal value for the
encryption key in the Shared Key field. Uncheck this check box to enter an alphanumeric shared
secret in the Shared Key field.
Shared Key—Specifies the failover shared secret or key for encrypted and authenticated
communications between failover pairs.
If you checked the Use 32 hexadecimal character key check box, then enter a hexadecimal
encryption key. The key must be 32 hexadecimal characters (0-9, a-f).
If you cleared the Use 32 hexadecimal character key check box, then enter an alphanumeric shared
secret. The shared secret can be from 1 to 63 characters. Valid character are any combination of
numbers, letters, or punctuation. The shared secret is used to generate the encryption key.
LAN Failover—Contains the fields for configuring LAN Failover.
Interface—Specifies the interface used for failover communication. Failover requires a
dedicated interface, however, you can use the same interface for Stateful Failover.
Only unconfigured interfaces or subinterfaces that have not been assigned to a context are
displayed in this list and can be selected as the LAN Failover interface. Once you specify an
interface as the LAN Failover interface, you cannot edit that interface in the Configuration>
Interfaces pane or assign that interface to a context.