Cisco ASA 5500-X Series Next-Generation Firewalls

ASA FAQ: What happens after failover if dynamic routes are synchronized?

Document ID: 117816

Updated: Dec 09, 2014

Contributed by Dinkar Sharma and Magnus Mortensen, Cisco TAC Engineers.



This document describes what happens after failover if dynamic routes are synchronized.

Background Information

Cisco Adaptive Security Appliance (ASA) code Version and later synchronize dynamic routes from the ACTIVE unit to the STANDBY unit. In addition, deletion of routes is also synchronized to the STANDBY unit. However, the state of peer adjacencies is not synchronized; only the ACTIVE device maintains the neighbor state and actively participates in dynamic routing.

What happens after failover if dynamic routes are synchronized?

If an existing ACTIVE ASA goes down, the STANDBY ASA takes over and processes traffic based on connection information and routes synchronized by the peer device. The newly ACTIVE ASA continues to pass traffic for connections that were formed with dynamic routes for 15 seconds even without neighbor adjacencies. At this point, the newly ACTIVE ASA begins to form neighbor adjacencies with peer routers, and all routes are synchronized once again. Now, if the adjacency and route learning process takes more than 15 seconds, the ASA drops all connections that use dynamic routes.

It is important to note that even if the ASA forms a neighbor adjacency and learns routes within 15 seconds, a brief outage is still expected. This is because the newly ACTIVE ASA forms an adjacency from scratch. Once the database/topology (Open Shortest Path First/Enhanced Interior Gateway Routing Protocol) exchange has been completed, all of the routes from the peer routing table are refreshed on the ASA and the peer router does not have routes to forward packets towards the newly ACTIVE ASA. For this to work without an outage, the neighbor state has to be synchronized also. The Cisco ASA supports Non-Stop Forwarding from software Version 9.3.1 and later for dynamic routing protocols Border Gateway Protocol (BGP) and Open Shortest Path First (OSPF). Refer to the release notes for ASA Version 9.3.1 for more information about this new feature.

Updated: Dec 09, 2014
Document ID: 117816