Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Failover

67-12

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter67 Configuring Active/Active Failover

Configuring Active/Active Failover

Note If you are configuring Active/Active failover, you do not use this tab to define the interface policy;

instead, you define the interface policy for each failover group using the Failover> Active/Active Tab.

With Active/Active failover, the interface policy settings defined for each failover group override the

settings on this tab. If you disable Active/Active failover, then the settings on this tab are used.

Fields

•Interface Policy—Contains the fields for defining the policy for failover when monitoring detects

an interface failure.

–

Number of failed interfaces that triggers failover—When the number of failed monitored

interfaces exceeds the value you set with this command, then the ASA fails over. The range is

between 1 and 250 failures.

–

Percentage of failed interfaces that triggers failover—When the number of failed monitored

interfaces exceeds the percentage you set with this command, then the ASA fails over.

•Failover Poll Times—Contains the fields for defining how often hello messages are sent on the

failover link, and, optionally, how long to wait before testing the peer for failure if no hello messages

are received.

–

Unit Failover—The amount of time between hello messages among units. The range is between

1 and 15 seconds or between 200 and 999 milliseconds.

–

Unit Hold Time—Sets the time during which a unit must receive a hello message on the failover

link, or else the unit begins the testing process for peer failure. The range is between 1and 45

seconds or between 800 and 999 milliseconds. You cannot enter a value that is less than 3 times

the polltime.

–

Monitored Interfaces—The amount of time between polls among interfaces. The range is

between 1and 15 seconds or 500 to 999 milliseconds.

–

Interface Hold Time—Sets the time during which a data interface must receive a hello message

on the data interface, after which the peer is declared failed. Valid values are from 5 to 75

seconds.

Failover > Active/Active Tab

Use this tab to enable Active/Active failover on the ASA by defining failover groups. In an Active/Active

failover configuration, both ASAs pass network traffic. Active/Active failover is only available to ASAs

in multiple mode.

A failover group is simply a logical group of security contexts. You can create two failover groups on

the ASA. You must create the failover groups on the active unit in the failover pair. The admin context

is always a member of failover group 1. Any unassigned security contexts are also members of failover

group 1 by default.

Note During a successful failover event on the ASA, the interfaces are brought down, roles are switched (IP

addresses and MAC addresses are swapped), and the interfaces are brought up again. However, the

process is transparent to users. The ASA does not send link-down messages or system log messages to

notify users that interfaces were taken down during failover (or link-up messages for interfaces brought

up by the failover process ).

Cisco Systems Failover > Active/Active Tab

Models: ASA 5510 ASA 5512-X ASA 5515-X ASA 5520 ASA 5525-X ASA 5540 ASA 5545-X ASA 5550 ASA 5555-X ASA 5580 ASA 5585-X ASA 5505