Home > Articles > Cisco Network Technology > General Networking > Cisco ASA High Availability Concepts and Configurations

Cisco ASA High Availability Concepts and Configurations

Contents

  1. Introduction to ASA Failover and Failover Modes
  2. Failover Types / ASA Failover Addresses / Failover Requirements
  3. Physical Failover Connectivity
  4. ASA Failover Configuration

Article Description

In any business network, one of the most important things that needs to be addressed is up time. Depending on the size of the business and the business network, every minute of downtime can greatly affect the productivity of the businesses, employees, and the business systems that use the network.

To address this within the Adaptive Security Appliance (ASA) product line, Cisco offers high availability through a series of failover capabilities. Sean Wilkins takes a look at a few of these failover capabilities and shows you how they can be configured to provide high availability.

Failover Types

Failover Types

Within these two different failover modes, there are also two different failover types: stateless and stateful. When using stateless failover, if a failover should need to occur, all active connections will be dropped and will have to be reestablished to continue communications.

When using stateful failover, connection state information is exchanged between the failover partners (or groups). If a failover should need to occur, the active connections (that are supported) can be seamlessly transferred and will not need to be reestablished.

ASA Failover Addresses

When ASA failover is configured, a primary and secondary IP address are configured. When a failover occurs, the secondary partner will take over both the primary IP address and the primary MAC address, while the former primary partner will take over the secondary IP address and the secondary MAC address.

Failover Requirements

There are a couple of hardware and software requirements that need to be met for failover configuration to be successful. These requirements are listed below:

Hardware:

  • ASA failover partners must be the same model.
  • ASA failover partners must have the same number and types of interfaces.
  • ASA failover partners must have the same modules installed (if any are to be installed).
  • ASA failover partners must have the same amount of RAM installed (it is also preferred if the Flash sizes are the same as well).

Software:

  • Both ASA failover partners must be using the same firewall mode (routed or transparent).
  • Both ASA failover partners must be using the same context mode (single or multiple).
  • Both ASA failover partners must be using the same major and minor software version (there are exceptions during upgrade).
  • Both ASA failover partners must use the same AnyConnect images.
3. Physical Failover Connectivity | Next Section Previous Section