Share this
Cisco ASA Firewall Active/Standby Configuration Guide (Part 1 – Overview)
by PivIT Global on Apr 4, 2022 6:25:39 PM
A firewall is a primary device that is used to provide security features in a network, although other complimentary devices such as an Intrusion Prevention System (IPS), Cisco Email Security Appliance (ESA), Cisco Web Security Appliance (WSA), and Cisco Identity Services Engine (ISE) could also be used.
Ready to learn how to deploy this configuration? Jump to Part 2 here.
Even though most of the firewalls in production networks are Next-Generation (i.e., Cisco Firepower Next-Generation Firewall) because of the new features they support, using an older Cisco Adaptive Security Appliance (ASA) firewall will most definitely do its primary goal, which is providing the NAT services, creating communication sessions, and supporting routing capabilities.
Looking to compare firewalls?
Read the comparison blog of the Cisco ASA vs Fortinet Fortigate firewalls here
Because of the importance of the firewall and the dependence of the whole network on it, using a backup firewall is critical for uninterrupted network connectivity. Common concerns such as hardware issues, link/cable problems, or misconfiguration can all result in a non-operational network. Therefore, implementing a backup solution is the only way to ensure your network is always active and functional.
Want to learn more about backup best practices? Click here.
In this article, we will take a brief look at the benefits of the high-availability features that can be used on the Cisco ASA and focus on the Active/Standby failover, which is the most implemented deployment in networks today.
Looking for a firewall device? See our full overview of the Cisco ASA 5500 Series firewall or get in touch with us to find the perfect match for your network.
Need to quote a firewall?
Support for Several High-Availability Features
The Cisco ASA firewall supports several high-availability features that provide an interface, device-level redundancy, and (depending on the requirements and network deployment) one or the other will be the best fit:
- EtherChannel – A port link aggregation technology where a logical interface consisting of several grouped physical interfaces provides fault tolerance, load balancing, redundancy, and increased bandwidth.
- Redundant Interface – A pair of two physical interfaces (one active and one standby) operating as a backup for each other to provide interface-level redundancy.
- ASA Cluster – A feature that groups multiple Cisco ASA firewalls to operate a single logical firewall to achieve increased throughput and redundancy through all units.
- Two Failover Modes
- Active/Standby Failover: A pair of two Cisco ASAs in which one unit is active and forwards traffic while the other one is in a hot standby state and takes over when the primary unit fails.
- Active/Active Failover: A pair of two Cisco ASAs in which both units operate at the same time to provide load sharing and increased overall performance. When one of the units fails, the other one takes over and processes all network traffic.
Cisco ASA Active/Standby Failover Overview
A redundant device is needed to achieve uninterrupted network connectivity. The Active/Standby high-availability failover feature allows you to pair two security Cisco ASAs together, where one unit is active and forwards all traffic while at the same time the other one is in a hot standby state. See an example of an Active/Standby topology below.
When the active unit fails the standby unit takes over the active role and continues forwarding the traffic. Therefore, if the Active/Standby failover feature is deployed and configured correctly on both firewalls, users will never experience any network connectivity issues during the switchover process of the ASAs.
In the Active/Standby configuration, there are two roles, primary and secondary, and they never change. One of the ASA firewalls is permanently designated as a primary unit, while the other one is a secondary unit. The reason for that is to establish the priority of both firewalls during the election process for active and standby units.
When the election process occurs (usually during the boot up), the primary unit always takes over the active role by default, while the secondary unit goes into a standby state.
The active ASA will then start processing all traffic while the standby ASA only monitors the active appliance for potential issues. Once something goes wrong with the active unit, the standby unit takes over and becomes the new active ASA in the Active/Standby pair.
At the end of the day, when a Cisco ASA boots and there is another ASA available, the primary one becomes active and the secondary goes into standby. However, this will not always be the case. On one hand, if there is already an active ASA in the pair, the ASA goes to standby directly.
On the other hand, if the ASA does not detect any other ASA during the process of selection, it becomes active no matter the role configured on that unit. Unfortunately, if the ASA detects another ASA after this event, then both firewalls will renegotiate the failover roles.
Limitations of the Cisco ASA Active/Standby Configuration
For the Active/Standby configuration to work, two security appliances must be connected through a dedicated failover link and (optionally) a stateful failover link.
However, even though all Cisco ASAs can be configured for Active/Standby failover, a few requirements must be checked for the failover to work on both firewalls. Some of the most important are:
- Identical hardware used
- Same number and type of interfaces available
- Same software version used
- Same licenses (features) installed
- The active/standby failover feature installed
- Same operating modes used
Supported Failover Deployment Options
When implementing Active/Standby failover on Cisco ASAs, there are two types of failover configurations supported. Even though both use similar approaches, they provide different results and can be used separately or at the same time. The failover deployment options are:
- Stateless Failover: This failover approach provides hardware redundancy only and nothing more, which can be quite problematic in certain scenarios. The standby ASA monitors the active ASA for potential issues such as power, interface, or SSM failure of the device and takes over the active role.
The problem with this approach is that all previously tracked connections on the active unit are lost and each client application that was previously operational must start a new connection through the newly selected Cisco ASA, just because they are not synchronized on the ASAs.
Such information is the connection table and the corresponding local host table, among other things used by the ASAs. Stateless failover is not the recommended failover option, however, requires fewer resources for the units.
- Stateful Failover: This failover approach complements the stateless failover functionality by providing additional information on top of the hardware information already used. When using stateful failover the octave unit continuously passes state information such as connection and localhost table data to the standby unit.
When a failover occurs, all the information is already available on the newly selected active ASA and there is no need for re-establishing connections. As a result, all end-user applications will continue working without any interruption or need for a reconnect.
Stateful failover is the recommended approach especially in cases when there are a lot of active end-user applications running in the background. A dedicated stateful link is a requirement to implement this failover.
Are lead times slowing you down and preventing you from getting the firewall hardware or services you require to protect your data center? Send us a request or connect with our Team in real-time using our chat feature. Know what you want but need help configuring your setup?
Two Types of Failover Interfaces on a Cisco ASA
Once the ASAs are configured in either stateless or stateful failover, they will start communicating failover information between themselves. The information exchanged between the units identifies the roles (primary or secondary), the power status of the units, and shares connection state information for uninterrupted switchover between them.
Based on the information required, two types of failover interfaces can be configured on the Cisco ASAs, each one sharing a different type of information. The failover interfaces are:
- LAN Failover Interface: In any Active/Standby failover deployment there is a requirement for a LAN failover interface over which critical information is shared for normal operation of the failover configuration. This information is used to determine the operating status of each unit, as well as to replicate and synchronize any configuration between both units in the pair.
In order to accomplish this, a dedicated ethernet interface must be used on each Cisco ASA, which will be used exclusively for passing failover information. The connection between these interfaces on the ASAs can either be a direct link or through a switch. - Stateful Failover Interface: This type of interface is more of an optional feature. However, its usage is recommended in a failover deployment. The reason for that is quite simple. Besides the hardware information shared, additional information is needed such as state information among other things on the standby unit.
Without this data, anytime a failover happens, all end-user applications must re-establish connections and there will be an interruption from the client’s point of view. The stateful failover interface can either be a dedicated interface or shared with any other interface including the LAN failover interface.
Although sharing a stateful failover interface with a LAN failover interface is a common approach, it is not recommended to share it with a traffic-passing interface. Some of the information exchanged over the stateful failover link is:
- Network Address Translation (NAT) table
- Address Resolution Protocol (ARP) table
- TCP connection table
- UDP connection table
- HTTP connection table
- MAC address table
To conclude, once the Active/Standby deployment is finished, both ASAs will be managed as a single logical unit. All that is needed afterward is to configure the active ASA that provides the management IP address, which will automatically replicate the configuration and all the changes made to the standby unit in the pair. Consequently, from the users’ point of view, there will not be any interrupted connectivity when something goes wrong with the active ASA and a switchover happens.
Protect your firewall hardware with PivIT's OneCall service. Get coverage tailored to your networks and have complete peace of mind knowing when something happens, it will be handled right away. View our OneCall offering here.
For more information regarding the configuration of the Active/Standby failover deployment, see Part 2 of this two-part series.
Share this
- Configuration Guides (47)
- Cisco Routers (29)
- Switches (27)
- Network Security (23)
- Routing Protocols (21)
- Cisco Switches (20)
- Routers (20)
- Cisco (19)
- Product Comparisons (19)
- Firewall (18)
- Cisco Security (17)
- Cisco Technical Information (17)
- IT Hardware Solutions (17)
- Network Protocols (17)
- Wireless (17)
- Security (15)
- OneCall (13)
- Servers (12)
- cisco asa (12)
- Cisco Wireless (11)
- Router Protocols (11)
- Cisco UCS (9)
- Upgrading Network (9)
- Cisco Catalyst (8)
- Product Highlight (8)
- Access Control Lists (7)
- Cisco Servers (7)
- Fortinet (7)
- Access Points (6)
- Arista Networks (6)
- OSPF (6)
- Server Comparisons (6)
- Wireless APs (6)
- Cisco ASR (5)
- Cloud Solutions (5)
- HPE-Aruba Wireless (5)
- Juniper Mist (5)
- Network Management (5)
- SD-WAN (5)
- Storage (5)
- Switch Comparison (5)
- Back To Basics (4)
- Cybersecurity (4)
- EIGRP (4)
- Firewall Architecture (4)
- HSRP (4)
- Juniper Networks (4)
- Network Automation (4)
- OEM Comparison (4)
- Aruba Central (3)
- Cisco Telephony (3)
- DHCP (3)
- DHCP Snooping (3)
- Dell EMC PowerEdge (3)
- Internet (3)
- Maintenance (3)
- Maintenance Renewal (3)
- Network Accessories (3)
- Network Servers (3)
- TPM (3)
- Telephony (3)
- aruba (3)
- Cisco NX-OS (2)
- Cisco Nexus (2)
- Dell Servers (2)
- Fortinet NGFWs (2)
- IT Trends (2)
- LAN Networks (2)
- Network Time Protocol (2)
- Palo Alto NGFWs (2)
- Rapid PVST+ (2)
- Remote Configuration (2)
- Software Defined Networking (2)
- WLAN (2)
- Ways to Save (2)
- fortigate (2)
- Asset Management (1)
- CPU Usage (1)
- Cisco AIR-CT (1)
- Cisco Aironet (1)
- Cisco DNA (1)
- Cisco ISR (1)
- Cisco Supervisor Engines (1)
- Cisco UCS Manager (1)
- Cognitive Campus (1)
- Cost of Downtime (1)
- Dell EMC Data Domain (1)
- Edge Switches (1)
- Fabric Extenders (1)
- GRE Tunnel (1)
- HPE BL (1)
- Juniper SRX (1)
- Nexus Switches (1)
- Nutanix (1)
- Optics (1)
- PowerEdge R740xd (1)
- STP Extension (1)
- Sparing Integrity Program (1)
- Switched Virtual Interface (1)
- TCP (1)
- UCS Fabric Interconnects (1)
- hyperconverge (1)
- March 2024 (1)
- February 2024 (2)
- January 2024 (1)
- December 2023 (1)
- November 2023 (2)
- October 2023 (1)
- September 2023 (3)
- August 2023 (5)
- July 2023 (2)
- June 2023 (4)
- May 2023 (5)
- April 2023 (8)
- March 2023 (7)
- February 2023 (5)
- January 2023 (2)
- December 2022 (3)
- November 2022 (3)
- October 2022 (8)
- September 2022 (9)
- August 2022 (9)
- July 2022 (8)
- June 2022 (9)
- May 2022 (5)
- April 2022 (3)
- March 2022 (1)
- February 2022 (2)
- November 2021 (2)
- October 2021 (1)
- September 2021 (2)
- August 2021 (2)
- July 2021 (3)
- June 2021 (2)
- May 2021 (4)
- April 2021 (4)
- March 2021 (2)
- February 2021 (1)
- January 2021 (2)
- December 2020 (2)
- November 2020 (2)
- October 2020 (2)
- September 2020 (2)
- August 2020 (4)
- July 2020 (5)
- June 2020 (4)
- May 2020 (6)
- April 2020 (2)
- March 2020 (1)
- February 2020 (2)
- January 2020 (2)
- December 2019 (1)
- May 2019 (2)
- April 2019 (5)
- February 2019 (1)
- January 2019 (3)
- December 2018 (1)
No Comments Yet
Let us know what you think