Guest

Cisco ASA 5500-X Series Next-Generation Firewalls

ASA FAQ: What happens after failover if dynamic routes are synchronized?

Document ID: 117816

Updated: Jul 01, 2014

Contributed by Dinkar Sharma and Magnus Mortensen, Cisco TAC Engineers.

   Print

Introduction

This document describes what happens after failover if dynamic routes are synchronized.

Background Information

Cisco Adaptive Security Appliance (ASA) code Version 8.4.4.1 and later synchronize dynamic routes from the ACTIVE unit to the STANDBY unit. In addition, deletion of routes is also synchronized to the STANDBY unit. However, the state of peer adjacencies is not synchronized; only the ACTIVE device maintains the neighbor state and actively participates in dynamic routing.

What happens after failover if dynamic routes are synchronized?

If an existing ACTIVE ASA goes down, the STANDBY ASA takes over and processes traffic based on connection information and routes synchronized by the peer device. The newly ACTIVE ASA continues to pass traffic for connections that were formed with dynamic routes for 15 seconds even without neighbor adjacencies. At this point, the newly ACTIVE ASA begins to form neighbor adjacencies with peer routers, and all routes are synchronized once again. Now, if the adjacency and route learning process takes more than 15 seconds, the ASA drops all connections that use dynamic routes.

It is important to note that even if the ASA forms a neighbor adjacency and learns routes within 15 seconds, a brief outage is still expected. This is because the newly ACTIVE ASA forms an adjacency from scratch. Once the database/topology (Open Shortest Path First/Enhanced Interior Gateway Routing Protocol) exchange has been completed, all of the routes from the peer routing table are refreshed on the ASA and the peer router does not have routes to forward packets towards the newly ACTIVE ASA. For this to work without an outage, the neighbor state has to be synchronized also. Cisco Enhancement ID  CSCsu90386 - Non-Stop Forwarding support for dynamic routing protocols - has been filed in order to track this feature request in the ASA code. 

Updated: Jul 01, 2014
Document ID: 117816