Cisco ASA 1000V ASDM Configuration Guide, 6.7
Configuring Active/Standby Failover
Downloads: This chapterpdf (PDF - 530.0KB) The complete bookPDF (PDF - 11.09MB) | Feedback

Configuring Active/Standby Failover

Table Of Contents

Configuring Active/Standby Failover

Introduction to Failover and High Availability

Failover System Requirements

Information About Active/Standby Failover

Active/Standby Failover Overview

Primary/Secondary Status and Active/Standby Status

Device Initialization and Configuration Synchronization

Command Replication

Failover Triggers

Failover Actions

Optional Active/Standby Failover Settings

Failover and Stateful Failover Links

Failover Link

Stateful Failover Link

Avoiding Interrupted Failover Links

Stateless (Regular) and Stateful Failover

Stateless (Regular) Failover

Stateful Failover

Auto Update Server Support in Failover Configurations

Auto Update Process Overview

Monitoring the Auto Update Process

Failover Health Monitoring

ASA 1000V Health Monitoring

Interface Monitoring

Failover Messages

Failover System Messages

Debugging Messages

SNMP

Prerequisites for Active/Standby Failover

Guidelines and Limitations

Configuring Active/Standby Failover

Configuring Failover

Configuring Interface Standby Addresses

Configuring Optional Active/Standby Failover Settings

Disabling and Enabling Interface Monitoring

Configuring Failover Criteria

Configuring the ASA 1000V and Interface Health Poll Times

Configuring Virtual MAC Addresses

Controlling Failover

Forcing Failover

Disabling Failover

Restoring a Failed ASA 1000V

Monitoring Active/Standby Failover

Feature History for Active/Standby Failover


Configuring Active/Standby Failover


This chapter describes how to configure Active/Standby failover and includes the following sections:

Introduction to Failover and High Availability

Prerequisites for Active/Standby Failover

Guidelines and Limitations

Configuring Active/Standby Failover

Controlling Failover

Monitoring Active/Standby Failover

Feature History for Active/Standby Failover

Introduction to Failover and High Availability

Configuring high availability requires two identical ASA 1000Vs connected to each other through a dedicated failover link. The health of the active interfaces and ASA 1000Vs is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs.

The ASA 1000V supports Active/Standby failover. With Active/Standby failover, only one ASA 1000V passes traffic while the other ASA 1000V waits in a standby state. The interface typically assigned for active/standby failover pairs on the ASA 1000V is GigabitEthernet0/2.

Failover System Requirements

Failover and Stateful Failover Links

Stateless (Regular) and Stateful Failover

Auto Update Server Support in Failover Configurations

Failover Health Monitoring

Failover Messages

Failover System Requirements

The two ASA 1000Vs in a failover configuration must have the same major (first number) and minor (second number) software version. However, you can use different versions of the software during an upgrade process and have failover remain active. We recommend upgrading both ASA 1000Vs to the same version to ensure long-term compatibility.

Information About Active/Standby Failover

This section describes Active/Standby failover and includes the following topics:

Active/Standby Failover Overview

Primary/Secondary Status and Active/Standby Status

Device Initialization and Configuration Synchronization

Command Replication

Failover Triggers

Failover Actions

Active/Standby Failover Overview

Active/Standby failover enables you to use a standby ASA 1000V to take over the functionality of a failed ASA 1000V. When the active ASA 1000V fails, it changes to the standby state while the standby ASA 1000V changes to the active state. The ASA 1000V that becomes active assumes the IP addresses and MAC addresses of the failed ASA 1000V and begins passing traffic. The ASA 1000V that is now in standby state takes over the standby IP addresses and MAC addresses. Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network.

Primary/Secondary Status and Active/Standby Status

The main differences between the two ASA 1000Vs in a failover pair are related to which ASA 1000V is active and which ASA 1000V is standby, namely which IP addresses to use and which ASA 1000V actively passes traffic.

However, a few differences exist between the ASA 1000Vs based on which one is primary (as specified in the configuration) and which one is secondary:

The primary ASA 1000V always becomes the active ASA 1000V if both ASA 1000Vs start up at the same time (and are of equal operational health).

The primary ASA 1000V MAC addresses are always coupled with the active IP addresses. The exception to this rule occurs when the secondary ASA 1000V is active and cannot obtain the primary ASA 1000V MAC addresses over the failover link. In this case, the secondary ASA 1000V MAC addresses are used.

Device Initialization and Configuration Synchronization

Configuration synchronization occurs when one or both devices in the failover pair boot. Configurations are always synchronized from the active ASA 1000V to the standby ASA 1000V. When the standby ASA 1000V completes its initial startup, it clears its running configuration (except for the failover commands needed to communicate with the active ASA 1000V, and the active ASA 1000V sends its entire configuration to the standby ASA 1000V.

The active ASA 1000V is determined by the following:

If an ASA 1000V boots and detects a peer already running as active, it becomes the standby ASA 1000V.

If an ASA 1000V boots and does not detect a peer, it becomes the active ASA 1000V.

If both ASA 1000Vs boot simultaneously, then the primary ASA 1000V becomes the active ASA 1000V, and the secondary ASA 1000V becomes the standby ASA 1000V.


Note If the secondary ASA 1000V boots without detecting the primary ASA 1000V, it becomes the active ASA 1000V. It uses its own MAC addresses for the active IP addresses. However, when the primary ASA 1000V becomes available, the secondary ASA 1000V changes the MAC addresses to those of the primary ASA 1000V, which can cause an interruption in your network traffic. To avoid this, configure the failover pair with virtual MAC addresses. See the "Configuring Virtual MAC Addresses" section for more information.


When the replication starts, the console on the active ASA 1000V displays the message "Beginning configuration replication: Sending to mate," and when it is complete, the ASA 1000V displays the message "End Configuration Replication to mate." During replication, commands entered on the active ASA 1000V may not replicate properly to the standby ASA 1000V, and commands entered on the standby ASA 1000V may be overwritten by the configuration being replicated from the active ASA 1000V. Avoid entering commands on either ASA 1000V in the failover pair during the configuration replication process. Depending upon the size of the configuration, replication can take from a few seconds to several minutes.

On the standby ASA 1000V, the configuration exists only in running memory. To save the configuration to the flash memory on the standby ASA 1000V, choose File > Save Running Configuration to Flash.

A failover pair of ASA 1000Vs must be deployed in the same mode (both VNMC or both ASDM) so that security policy configuration stays consistent across the failover pair. If the modes are mixed, the following error message appears:

Mate's device manager mode (ASDM|VNMC) is not compatible with my mode (ASDM|VNMC). 
Failover will be disabled.

Command Replication

Command replication always flows from the active ASA 1000V to the standby ASA 1000V. As you apply your changes to the active unit in ASDM, the associated commands are sent across the failover link to the standby ASA 1000V. You do not have to save the active configuration to flash memory to replicate the commands.

The following commands that are replicated to the standby ASA 1000V:

All configuration commands except for mode, firewall, and failover lan unit

copy running-config startup-config

delete

mkdir

rename

rmdir

write memory

The following commands that are not replicated to the standby ASA 1000V:

All forms of the copy command except for copy running-config startup-config

All forms of the write command except for write memory

debug

failover lan unit

firewall

show

terminal pager and pager


Note Changes made on the standby ASA 1000V are not replicated to the active ASA 1000V. If you enter a command on the standby ASA 1000V, the following message appears: **** WARNING **** Configuration Replication is NOT performed from Standby unit to Active unit. Configurations are no longer synchronized. This message appears even when you enter many commands that do not affect the configuration.


Replicated commands are stored in the running configuration. To save replicated commands to the flash memory on the standby ASA 1000V, choose File > Save Running Configuration to Flash.


Note Standby Failover does not replicate the following files and configuration components:

ASA 1000V images

ASDM images


Failover Triggers

The ASA 1000V can fail if one of the following events occurs:

A hardware failure or a power failure occurs.

A software failure occurs.

Too many monitored interfaces fail.

You force a failover. (See the "Forcing Failover" section.)

Failover Actions

Table 7-1 shows the failover action for each failure event. For each failure event, the table shows the failover policy (failover or no failover), the action taken by the active ASA 1000V, the action taken by the standby ASA 1000V, and any special notes about the failover condition and actions.

Table 7-1 Failover Behavior 

Failure Event
Policy
Active Action
Standby Action
Notes

Active ASA 1000V failed

Failover

n/a

Become active

Mark active as failed

No hello messages are received on any monitored interface or the failover link.

Formerly active ASA 1000V recovers

No failover

Become standby

No action

None.

Standby ASA 1000V failed

No failover

Mark standby as failed

n/a

When the standby ASA 1000V is marked as failed, then the active ASA 1000V does not attempt to fail over, even if the interface failure threshold is surpassed.

Failover link failed during operation

No failover

Mark failover interface as failed

Mark failover interface as failed

You should restore the failover link as soon as possible because the ASA 1000V cannot fail over to the standby ASA 1000V while the failover link is down.

Failover link failed at startup

No failover

Mark failover interface as failed

Become active

If the failover link is down at startup, both ASA 1000Vs become active.

Stateful Failover link failed

No failover

No action

No action

State information becomes out of date, and sessions are terminated if a failover occurs.

Interface failure on active ASA 1000V above threshold

Failover

Mark active as failed

Become active

None.

Interface failure on standby ASA 1000V above threshold

No failover

No action

Mark standby as failed

When the standby ASA 1000V is marked as failed, then the active ASA 1000V does not attempt to fail over even if the interface failure threshold is surpassed.


Optional Active/Standby Failover Settings

You can configure the following Active/Standby failover options when you initially configuring failover or after failover has been configured:

HTTP replication with Stateful Failover—Allows connections to be included in the state information replication.

Interface monitoring—Allows you to monitor up to 250 interfaces on an ASA 1000V and control which interfaces affect your failover.

Interface health monitoring—Enables the ASA 1000V to detect and respond to interface failures more quickly.

Failover criteria setup—Allows you to specify a specific number of interfaces or a percentage of monitored interfaces that must fail before failover occurs.

Virtual MAC address configuration—Ensures that the secondary ASA 1000V uses the correct MAC addresses when it is the active ASA 1000V, even if it comes online before the primary ASA 1000V.

Failover and Stateful Failover Links

This section describes the failover and the Stateful Failover links, which are dedicated connections between the two ASA 1000Vs in a failover configuration. This section includes the following topics:

Failover Link

Stateful Failover Link

Avoiding Interrupted Failover Links

Failover Link

The two ASA 1000Vs in a failover pair constantly communicate over a failover link to determine the operating status of each ASA 1000V. The following information is communicated over the failover link:

The ASA 1000V state (active or standby)

Hello messages (keepalives)

Network link status

MAC address exchange

Configuration replication and synchronization


Caution All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key.

You can use the GigabitEthernet 0/2 interface on the device as the failover link. The failover link interface is not configured as a normal networking interface; it exists for failover communication only. This interface should only be used for the failover link (and optionally for the Stateful Failover link).

Connect the failover link using a switch, with no other device on the same network segment (broadcast domain or VLAN) as the failover interfaces of the ASA 1000V.

Stateful Failover Link

To use Stateful Failover, you must configure a Stateful Failover link to pass all state information. You have three options for configuring a Stateful Failover link:

You can use a dedicated Ethernet interface for the Stateful Failover link. This is defined as the GigabitEthernet0/2 interface, with the name FOlink. This interface does not receive packets with vPath encapsulation.

If you are managing policies through the ASDM, you can change interface roles after initial deployment.

You can share the failover link.

You can share a regular data interface, such as the inside interface. However, this option is not recommended.

Connect a dedicated state link by using a switch, with no other device on the same network segment (broadcast domain or VLAN) as the failover interfaces of the ASA 1000V.


Note Enable the PortFast option on Cisco switch ports that connect directly to the ASA 1000V.


If you use a data interface as the Stateful Failover link, you receive the following warning when you specify that interface as the Stateful Failover link:

******* WARNING ***** WARNING ******* WARNING ****** WARNING  *********
  Sharing Stateful failover interface with regular data interface is not
  a recommended configuration due to performance and security concerns.
******* WARNING ***** WARNING ******* WARNING ****** WARNING  *********
 
   

Sharing a data interface with the Stateful Failover interface can leave you vulnerable to replay attacks. Additionally, large amounts of Stateful Failover traffic may be sent on the interface, causing performance problems on that network segment.


Note The IP address and MAC address for the Stateful Failover link does not change at failover unless the Stateful Failover link is configured on a regular data interface.



Caution All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key.

Avoiding Interrupted Failover Links

Because the ASA 1000V uses failover interfaces to transport messages between primary and secondary ASA 1000Vs, if a failover interface is down (that is, the physical link is down or the switch used to connect the interface is down), then the ASA 1000V failover operation is affected until the health of the failover interface is restored.

In the event that all communication is cut off between the ASA 1000Vs in a failover pair, both ASA 1000Vs go into the active state, which is expected behavior. When communication is restored and the two active ASA 1000Vs resume communication through the failover link or through any monitored interface, the primary ASA 1000V remains active, and the secondary ASA 1000V immediately returns to the standby state. This relationship is established regardless of the health of the primary ASA 1000V.

Because of this behavior, stateful flows that were passed properly by the secondary active ASA 1000V during the network split are now interrupted. To avoid this interruption, failover links and data interfaces should travel through different paths to decrease the chance that all links fail at the same time. In the event that only one failover link is down, the ASA 1000V takes a sample of the interface health, exchanges this information with its peer through the data interface, and performs a switchover if the active ASA 1000V has a greater number of down interfaces. Subsequently, the failover operation is suspended until the health of the failover link is restored.

Depending upon their network topologies, several primary/secondary failure scenarios exist in ASA 1000V failover pairs, as shown in the following scenarios.

Scenario 1—Not Recommended

If a single switch or a set of switches are used to connect both failover and data interfaces between two ASA 1000Vs, then when a switch or inter-switch-link is down, both ASA 1000Vs become active. Therefore, the following two connection methods shown in Figure 7-1 and Figure 7-2 are NOT recommended.

Figure 7-1 Connecting with a Single Switch—Not Recommended

Figure 7-2 Connecting with a Double Switch—Not Recommended

Scenario 2—Recommended

To make the ASA 1000V failover pair resistant to failover interface failure, we recommend that failover interfaces NOT use the same switch as the data interfaces, as shown in the preceding connections. Instead, use a different switch to connect two ASA 1000V failover interfaces, as shown in Figure 7-3.

Figure 7-3 Connecting with a Different Switch

Scenario 3—Recommended

If the ASA 1000V data interfaces are connected to more than one set of switches, then a failover interface can be connected to one of the switches, preferably the switch on the secure side of the network, as shown in Figure 7-4.

Figure 7-4 Connecting with a Secure Switch

Stateless (Regular) and Stateful Failover

The ASA 1000V supports two types of failover, regular and stateful. This section includes the following topics:

Stateless (Regular) Failover

Stateful Failover

Stateless (Regular) Failover

When a failover occurs, all active connections are dropped. Clients need to reestablish connections when the new active ASA 1000V takes over.

Stateful Failover

When Stateful Failover is enabled, the active ASA 1000V continually passes per-connection state information to the standby ASA 1000V. After a failover occurs, the same connection information is available at the new active ASA 1000V. Supported end-user applications are not required to reconnect to keep the same communication session.

The following state information is passed to the standby ASA 1000V when Stateful Failover is enabled:

NAT translation table

TCP connection states

UDP connection states

The ARP table

The HTTP connection states (if HTTP replication is enabled)

The ISAKMP and IPsec SA table

SIP signalling sessions

The following state information is not passed to the standby ASA 1000V when Stateful Failover is enabled:

The HTTP connection table (unless HTTP replication is enabled).

The user authentication (uauth) table.

Inspected protocols are subject to advanced TCP-state tracking, and the TCP state of these connections is not automatically replicated. While these connections are replicated to the standby ASA 1000V, there is a best-effort attempt to re-establish a TCP state.

DHCP server address leases.

State information for modules.

Auto Update Server Support in Failover Configurations

You can use the Auto Update Server to deploy software images and configuration files to ASA 1000Vs in an Active/Standby failover configuration. To enable Auto Update on an Active/Standby failover configuration, enter the Auto Update Server configuration on the primary ASA 1000V in the failover pair.

The following restrictions and behaviors apply to Auto Update Server support in failover configurations:

When loading a new platform software image, the failover pair stops passing traffic.

When using LAN-based failover, new configurations must not change the failover link configuration. If they do, communication between the ASA 1000Vs will fail.

Only the primary ASA 1000V will perform the call home to the Auto Update Server. The primary ASA 1000V must be in the active state to call home. If it is not, the ASA 1000V automatically fails over to the primary ASA 1000V.

Only the primary ASA 1000V downloads the software image or configuration file. The software image or configuration is then copied to the secondary ASA 1000V.

The interface MAC address is from the primary ASA 1000V.

The configuration file stored on the Auto Update Server or HTTP server is for the primary ASA 1000V only.

Auto Update Process Overview

The following is an overview of the Auto Update process in failover configurations. This process assumes that failover is enabled and operational. The Auto Update process cannot occur if the ASA 1000Vs are synchronizing configurations, if the standby ASA 1000V is in the failed state for any reason, or if the failover link is down.

1. Both ASA 1000Vs exchange the platform and ASDM software checksum and version information.

2. The primary ASA 1000V contacts the Auto Update Server. If the primary ASA 1000V is not in the active state, the ASA 1000V first fails over to the primary ASA 1000V and then contacts the Auto Update Server.

3. The Auto Update Server replies with software checksum and URL information.

4. If the primary ASA 1000V determines that the platform image file needs to be updated for either the active or standby ASA 1000V, the following occurs:

a. The primary ASA 1000V retrieves the appropriate files from the HTTP server using the URL from the Auto Update Server.

b. The primary ASA 1000V copies the image to the standby ASA 1000V and then updates the image on itself.

c. If both ASA 1000Vs have new image, the secondary (standby) ASA 1000V is reloaded first.

If hitless upgrade can be performed when the secondary ASA 1000V boots, then the secondary ASA 1000V becomes the active ASA 1000V and the primary ASA 1000V reloads. The primary ASA 1000V becomes the active ASA 1000V when it has finished loading.

If hitless upgrade cannot be performed when the standby ASA 1000V boots, then both ASA 1000Vs reload at the same time.

d. If only the secondary (standby) ASA 1000V has new image, then only the secondary ASA 1000V reloads. The primary ASA 1000V waits until the secondary ASA 1000V finishes reloading.

e. If only the primary (active) ASA 1000V has new image, the secondary ASA 1000V becomes the active ASA 1000V, and the primary ASA 1000V reloads.

f. The update process starts again at Step 1.

5. If the ASA 1000V determines that the ASDM image file needs to be updated for either the primary or secondary ASA 1000V, the following occurs:

a. The primary ASA 1000V retrieves the ASDM image file from the HTTP server using the URL provided by the Auto Update Server.

b. The primary ASA 1000V copies the ASDM image to the standby ASA 1000V, if needed.

c. The primary ASA 1000V updates the ASDM image on itself.

d. The update process starts again at Step 1.

6. If the primary ASA 1000V determines that the configuration needs to be updated, the following occurs:

a. The primary ASA 1000V retrieves the configuration file from the using the specified URL.

b. The new configuration replaces the old configuration on both ASA 1000Vs simultaneously.

c. The update process begins again at Step 1.

7. If the checksums match for all image and configuration files, no updates are required. The process ends until the next poll time.

Monitoring the Auto Update Process

You can use the debug auto-update client or debug fover cmd-exe commands to display the actions performed during the Auto Update process. The following is sample output from the debug auto-update client command. Run debug commands from a terminal session.

Auto-update client: Sent DeviceDetails to /cgi-bin/dda.pl of server 192.168.0.21
Auto-update client: Processing UpdateInfo from server 192.168.0.21
   Component: asdm, URL: http://192.168.0.21/asdm.bint, checksum: 
0x94bced0261cc992ae710faf8d244cf32
   Component: config, URL: http://192.168.0.21/config-rms.xml, checksum: 
0x67358553572688a805a155af312f6898
   Component: image, URL: http://192.168.0.21/cdisk73.bin, checksum: 
0x6d091b43ce96243e29a62f2330139419
Auto-update client: need to update img, act: yes, stby yes
name
ciscoasa(config)# Auto-update client: update img on stby unit...
auto-update: Fover copyfile, seq = 4 type = 1, pseq = 1, len = 1024
auto-update: Fover copyfile, seq = 4 type = 1, pseq = 501, len = 1024
auto-update: Fover copyfile, seq = 4 type = 1, pseq = 1001, len = 1024
auto-update: Fover copyfile, seq = 4 type = 1, pseq = 1501, len = 1024
auto-update: Fover copyfile, seq = 4 type = 1, pseq = 2001, len = 1024
auto-update: Fover copyfile, seq = 4 type = 1, pseq = 2501, len = 1024
auto-update: Fover copyfile, seq = 4 type = 1, pseq = 3001, len = 1024
auto-update: Fover copyfile, seq = 4 type = 1, pseq = 3501, len = 1024
auto-update: Fover copyfile, seq = 4 type = 1, pseq = 4001, len = 1024
auto-update: Fover copyfile, seq = 4 type = 1, pseq = 4501, len = 1024
auto-update: Fover copyfile, seq = 4 type = 1, pseq = 5001, len = 1024
auto-update: Fover copyfile, seq = 4 type = 1, pseq = 5501, len = 1024
auto-update: Fover copyfile, seq = 4 type = 1, pseq = 6001, len = 1024
auto-update: Fover copyfile, seq = 4 type = 1, pseq = 6501, len = 1024
auto-update: Fover copyfile, seq = 4 type = 1, pseq = 7001, len = 1024
auto-update: Fover copyfile, seq = 4 type = 1, pseq = 7501, len = 1024
auto-update: Fover copyfile, seq = 4 type = 1, pseq = 8001, len = 1024
auto-update: Fover copyfile, seq = 4 type = 1, pseq = 8501, len = 1024
auto-update: Fover copyfile, seq = 4 type = 1, pseq = 9001, len = 1024
auto-update: Fover file copy waiting at clock tick 6129280
fover_parse: Rcvd file copy ack, ret = 0, seq = 4
auto-update: Fover filecopy returns value: 0 at clock tick 6150260, upd time 145980 msecs
Auto-update client: update img on active unit...
fover_parse: Rcvd image info from mate
auto-update: HA safe reload: reload active waiting with mate state: 20
auto-update: HA safe reload: reload active waiting with mate state: 20
auto-update: HA safe reload: reload active waiting with mate state: 20
auto-update: HA safe reload: reload active waiting with mate state: 20
auto-update: HA safe reload: reload active waiting with mate state: 20
auto-update: HA safe reload: reload active waiting with mate state: 20
auto-update: HA safe reload: reload active waiting with mate state: 20
auto-update: HA safe reload: reload active waiting with mate state: 20
auto-update: HA safe reload: reload active waiting with mate state: 20
auto-update: HA safe reload: reload active waiting with mate state: 20
auto-update: HA safe reload: reload active waiting with mate state: 20
auto-update: HA safe reload: reload active waiting with mate state: 20
auto-update: HA safe reload: reload active waiting with mate state: 20
auto-update: HA safe reload: reload active waiting with mate state: 20
auto-update: HA safe reload: reload active waiting with mate state: 20
Beginning configuration replication: Sending to mate.
auto-update: HA safe reload: reload active waiting with mate state: 50
auto-update: HA safe reload: reload active waiting with mate state: 50
 
   
auto-update: HA safe reload: reload active waiting with mate state: 80
        Sauto-update: HA safe reload: reload active unit at clock tick: 6266860
Auto-update client: Succeeded: Image, version: 0x6d091b43ce96243e29a62f2330139419
 
   

The following syslog message is generated if the Auto Update process fails:

%ASA-4-612002: Auto Update failed: file version: version reason: reason
 
   

The file is "image," "asdm," or "configuration," depending on which update failed. The version is the version number of the update. And the reason is the reason the update failed.

Failover Health Monitoring

The ASA 1000V monitors each ASA 1000V for overall health and for interface health. See the following sections for more information about how the ASA 1000V performs tests to determine the state of each ASA 1000V:

ASA 1000V Health Monitoring

Interface Monitoring

ASA 1000V Health Monitoring

The ASA 1000V determines the health of the other ASA 1000V by monitoring the failover link. When an ASA 1000V does not receive three consecutive hello messages on the failover link, the ASA 1000V sends interface hello messages on each interface, including the failover interface, to validate whether or not the peer interface is responsive. The action that the ASA 1000V takes depends upon the response from the other ASA 1000V. See the following possible actions:

If the ASA 1000V receives a response on the failover interface, then it does not fail over.

If the ASA 1000V does not receive a response on the failover link, but it does receive a response on another interface, then the ASA 1000V does not failover. The failover link is marked as failed. You should restore the failover link as soon as possible because the ASA 1000V cannot fail over to the standby while the failover link is down.

If the ASA 1000V does not receive a response on any interface, then the standby ASA 1000V switches to active mode and classifies the other ASA 1000V as failed.

You can configure the frequency of the hello messages and the hold time before failover occurs. A faster poll time and shorter hold time speed the detection of ASA 1000V failures and make failover occur more quickly, but it can also cause "false" failures due to network congestion delaying the keepalive packets.

Interface Monitoring

You can monitor up to 250 interfaces. You should monitor important interfaces.

When an ASA 1000V does not receive hello messages on a monitored interface for half of the configured hold time, it runs the following tests:

1. Link Up/Down test—A test of the interface status. If the Link Up/Down test indicates that the interface is operational, then the ASA 1000V performs network tests. The purpose of these tests is to generate network traffic to determine which (if either) ASA 1000V has failed. At the start of each test, each ASA 1000V clears its received packet count for its interfaces. At the conclusion of each test, each ASA 1000V looks to see if it has received any traffic. If it has, the interface is considered operational. If one ASA 1000V receives traffic for a test and the other ASA 1000V does not, the ASA 1000V that received no traffic is considered failed. If neither ASA 1000V has received traffic, then the next test is used.

2. Network Activity test—A received network activity test. The ASA 1000V counts all received packets for up to 5 seconds. If any packets are received at any time during this interval, the interface is considered operational and testing stops. If no traffic is received, the ARP test begins.

3. ARP test—A reading of the ASA 1000V ARP cache for the two most recently acquired entries. One at a time, the ASA 1000V sends ARP requests to these machines, attempting to stimulate network traffic. After each request, the ASA 1000V counts all received traffic for up to 5 seconds. If traffic is received, the interface is considered operational. If no traffic is received, an ARP request is sent to the next machine. If at the end of the list no traffic has been received, the ping test begins.

4. Broadcast Ping test—A ping test that consists of sending out a broadcast ping request. The ASA 1000V then counts all received packets for up to 5 seconds. If any packets are received at any time during this interval, the interface is considered operational and testing stops.

If all network tests fail for an interface, but this interface on the other ASA 1000V continues to successfully pass traffic, then the interface is considered to be failed. If the threshold for failed interfaces is met, then a failover occurs. If the other ASA 1000V interface also fails all the network tests, then both interfaces go into the "Unknown" state and do not count towards the failover limit.

An interface becomes operational again if it receives any traffic. A failed ASA 1000V returns to standby mode if the interface failure threshold is no longer met.


Note If a failed ASA 1000V does not recover and you believe it should not be failed, you can reset the state by entering the failover reset command. If the failover condition persists, however, the ASA 1000V will fail again.


Failover Messages

When a failover occurs, both ASA 1000Vs send out system messages. This section includes the following topics:

Failover System Messages

Debugging Messages

SNMP

Failover System Messages

The ASA 1000V issues a number of system messages related to failover at priority level 2, which indicates a critical condition. To view these messages, see the syslog messages guide. To enable logging, see Chapter 32 "Configuring Logging."


Note During switchover, failover logically shuts down and then bring up interfaces, generating syslog 411001 and 411002 messages. This activity is normal.


Debugging Messages

To see debugging messages, enter the debug fover command. See the command reference for more information.


Note Because debugging output is assigned high priority in the CPU process, it can drastically affect system performance. For this reason, use the debug fover commands only to troubleshoot specific problems or during troubleshooting sessions with the Cisco TAC.


SNMP

To receive SNMP syslog traps for failover, configure the SNMP agent to send SNMP traps to SNMP management stations, define a syslog host, and compile the Cisco syslog MIB into your SNMP management station. See Chapter 33 "Configuring SNMP" for more information.

Prerequisites for Active/Standby Failover

Both ASA 1000Vs must be identical ASA 1000Vs that are connected to each other through a dedicated failover link and, optionally, a Stateful Failover link.

Guidelines and Limitations

To receive packets from both ASA 1000Vs in a failover pair, standby IP addresses need to be configured on all interfaces.

The standby IP addresses are used on the ASA 1000V that is currently the standby ASA 1000V, and they must be in the same subnet as the active IP address on the corresponding interface on the active ASA 1000V.

If you change the console terminal pager settings on the active ASA 1000V in a failover pair, the active console terminal pager settings change, but the standby ASA 1000V settings do not. A default configuration issued on the active ASA 1000V does affect behavior on the standby ASA 1000V.

When you enable interface monitoring, you can monitor up to 250 interfaces on an ASA 1000V.

By default, the ASA 1000V does not replicate HTTP session information when Stateful Failover is enabled. Because HTTP sessions are typically short-lived, and because HTTP clients typically retry failed connection attempts, not replicating HTTP sessions increases system performance without causing serious data or connection loss. The failover replication http command enables the stateful replication of HTTP sessions in a Stateful Failover environment, but it could have a negative impact on system performance.

Configuring Active/Standby Failover

This section describes how to configure Active/Standby failover. This section includes the following topics:

Configuring Failover

Configuring Optional Active/Standby Failover Settings

Configuring Failover

The speed and duplex settings for the failover interface cannot be changed when Failover is enabled. To change these settings for the failover interface, you must configure them in the Configuration > Interfaces pane before enabling failover.

To configure Active/Standby failover on both ASA 1000Vs, perform the following steps:


Step 1 Choose the Configuration > Device Management > Failover > Setup tab.

Step 2 Check the Enable Failover check box.


Note Failover is not actually enabled until you apply your changes to the device.


Step 3 To encrypt the failover link, do the following:

a. (Optional) Check the Use 32 hexadecimal character key check box to enter a hexadecimal value for the encryption key in the Shared Key field.

b. Enter the encryption key in the Shared Key field.

If you checked the Use 32 hexadecimal character key check box, then enter a hexadecimal encryption key. The key must be 32 hexadecimal characters (0-9, a-f).

If the Use 32 hexadecimal character key check box is unchecked, then enter an alphanumeric shared secret. The shared secret can be from 1 to 63 characters. Valid character are any combination of numbers, letters, or punctuation. The shared secret is used to generate the encryption key.

Step 4 Select the interface to use for the failover link from the Interface list. Failover requires a dedicated interface, however you can share the interface with Stateful Failover.

Only unconfigured interfaces or subinterfaces are displayed in this list and can be selected as the LAN Failover interface. Once you specify an interface as the LAN Failover interface, you cannot edit that interface in the Configuration > Interfaces pane.

Step 5 Specify the logical name of the interface used for failover communication in the Logical Name field.

Step 6 Specify the active IP address for the interface in the Active IP field. You cannot configure both types of addresses on the failover link interface.

Step 7 Depending upon the type of address specified for the Active IP, enter a subnet mask for the failover interface in the Subnet Mask/Prefix Length field.

Step 8 Specify the IP address used by the secondary unit to communicate with the primary unit in the Standby IP field.

Step 9 Select Primary or Secondary in the Preferred Role field to specify whether the preferred role for this ASA 1000V is as the primary or secondary ASA 1000V.

Step 10 (Optional) Configure the Stateful Failover link by doing the following:

a. Specifies the interface used for state communication. You can choose an unconfigured interface or subinterface, the LAN Failover interface, or the Use Named option.

If you choose an unconfigured interface or subinterface, you must supply the Active IP, Subnet Mask, Standby IP, and Logical Name for the interface.

If you choose the LAN Failover interface, you do not need to specify the Active IP, Subnet Mask, Logical Name, and Standby IP values; the values specified for the LAN Failover interface are used.

If you choose the Use Named option, the Logical Name field becomes a drop-down list of named interfaces. Choose the interface from this list. The Active IP, Subnet Mask/Prefix Length, and Standby IP values do not need to be specified. The values specified for the interface are used. Be sure to specify a standby IP address for the selected interface on the Interfaces tab.


Note Because Stateful Failover can generate a large amount of traffic, performance for both Stateful Failover and regular traffic can suffer when you use a named interface.


b. Specify the IP address for the Stateful Failover interface in the Active IP field. You cannot configure both types of addresses on the failover link interface. This field is dimmed if the LAN Failover interface or Use Named option is chosen from the Interface drop-down list.

c. Specify the mask for the Stateful Failover interface in the Subnet Mask/Prefix Length. This field is dimmed if the LAN Failover interface or Use Named option is selected in the Interface drop-down list.

d. Specify the interface name used for failover communication in the Logical Name field. If you chose the Use Named option in the Interface drop-down list, this field displays a list of named interfaces. This field is dimmed if the LAN Failover interface is chosen from the Interface drop-down list.

e. Specify the IP address used by the secondary ASA 1000V to communicate with the primary ASA 1000V in the Standby IP field. This field is dimmed if the LAN Failover interface or Use Named option is chosen from the Interface drop-down list.

f. (Optional) Enable HTTP replication by checking the Enable HTTP Replication check box. This enables Stateful Failover to copy active HTTP sessions to the standby firewall. If you do not allow HTTP replication, then HTTP connections are disconnected in the event of a failover.

Step 11 Click Apply.

The configuration is saved to the failover pair.


Configuring Interface Standby Addresses

To configure a standby address for each interface on the ASA 1000V, perform the following steps:


Step 1 Choose the Configuration > Device Management > High Availability > Failover > Interfaces tab.

A list of configured interfaces appears. The IP address for each interface appears in the Active IP Address column. If configured, the standby IP address for the interface appears in the Standby IP address column. The failover interface and Stateful failover interface do not display IP addresses; you cannot change those addresses from this tab.

Step 2 For each interface that does not have a standby IP address, double-click the Standby IP Address field and do one of the following:

Click the ellipses and select an IP address from the list.

Type an IP address into the field.


You can also specify whether or not the interface is monitored from this tab. For more information about configuring interface monitoring, see the "Disabling and Enabling Interface Monitoring" section.

Configuring Optional Active/Standby Failover Settings

This section includes the following topics:

Disabling and Enabling Interface Monitoring

Configuring Failover Criteria

Configuring the ASA 1000V and Interface Health Poll Times

Configuring Virtual MAC Addresses

You can configure the optional Active/Standby failover settings when initially configuring the primary ASA 1000V in a failover pair or on the active ASA 1000V in the failover pair after the initial configuration.

Disabling and Enabling Interface Monitoring

You can control which interfaces affect your failover policy by disabling the monitoring of specific interfaces and enabling the monitoring of others. This feature enables you to exclude interfaces attached to less critical networks from affecting your failover policy.

You can monitor up to 256 interfaces on an ASA 1000V. By default, monitoring Ethernet interfaces is enabled and monitoring subinterfaces is disabled.

Hello messages are exchanged during every interface poll frequency time period between the ASA 1000V failover pair. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds).

Monitored failover interfaces can have the following status:

Unknown—Initial status. This status can also mean the status cannot be determined.

Normal—The interface is receiving traffic.

Testing—Hello messages are not heard on the interface for five poll times.

Link Down—The interface or VLAN is administratively down.

No Link—The physical link for the interface is down.

Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.

To enable or disable health monitoring for specific interfaces on ASA 1000Vs in single configuration mode, enter one of the following commands.

To disable or enable monitoring of an interface, perform the following steps:


Step 1 Choose the Configuration > Device Management > High Availability > Failover > Interfaces tab.

A list of configured interfaces appears. The Monitored column displays whether or not an interface is monitored as part of your failover criteria. If it is monitored, a check appears in the Monitored check box.

Step 2 To disable monitoring of a listed interface, uncheck the Monitored check box for the interface.

Step 3 To enable monitoring of a listed interface, check the Monitored check box for the interface.


Configuring Failover Criteria

You can specify a specific number of interface or a percentage of monitored interfaces that must fail before failover occurs. By default, a single interface failure causes failover.

Use the Configuration > Device Management > High Availability > Criteria tab to define criteria for failover, such as how many interfaces must fail and how long to wait between polls. The hold time specifies the interval to wait without receiving a response to a poll before unit failover.

For information about configuring the hold and poll times, see the "Configuring the ASA 1000V and Interface Health Poll Times" section.

To configure the interface policy, perform the following steps:


Step 1 Choose the Configuration > Device Management > High Availability > Failover > Criteria tab.

Step 2 In the Interface Policy area, do one of the following:

To define a specific number of interfaces that must fail to trigger failover, enter a number from 1 to 256 in the Number of failed interfaces field. When the number of failed monitored interfaces exceeds the value that you specify, the ASA 1000V fails over.

To define a percentage of configured interfaces that must fail to trigger failover, enter a percentage in the Percentage of failed interfaces field. When the number of failed monitored interfaces exceeds the percentage that you set, the ASA 1000V fails over.

Step 3 Click Apply.


Configuring the ASA 1000V and Interface Health Poll Times

The ASA 1000V sends hello packets out of each data interface to monitor interface health. The ASA 1000V sends hello messages across the failover link to monitor ASA 1000V health. If the ASA 1000V does not receive a hello packet from the corresponding interface on the peer ASA 1000V for over half of the hold time, then the additional interface testing begins. If a hello packet or a successful test result is not received within the specified hold time, the interface is marked as failed. Failover occurs if the number of failed interfaces meets the failover criteria.

Decreasing the poll and hold times enables the ASA 1000V to detect and respond to interface failures more quickly, but may consume more system resources. Increasing the poll and hold times prevents the ASA 1000V from failing over on networks with higher latency.


Step 1 Choose the Configuration > Device Management > High Availability > Failover > Criteria tab.

Step 2 To configure the interface poll and hold times, change the following values in the Failover Poll Times area:

Monitored Interfaces—The amount of time between polls among interfaces. The range is between 1and 15 seconds or 500 to 999 milliseconds.

Interface Hold Time—Sets the time during which a data interface must receive a hello message on the data interface, after which the peer is declared failed. Valid values are from 5 to 75 seconds.

Step 3 To configure the unit poll and hold times, change the following values in the Failover Poll Times area:

Unit Failover—The amount of time between hello messages among units. The range is between 1 and 15 seconds or between 200 and 999 milliseconds.

Unit Hold Time—Sets the time during which a unit must receive a hello message on the failover link, or else the unit begins the testing process for peer failure. The range is between 1and 45 seconds or between 800 and 999 milliseconds. You cannot enter a value that is less than 3 times the polltime.

Step 4 Click Apply.


Configuring Virtual MAC Addresses

The Configuration > Device Management > High Availability > MAC Addresses tab displays the virtual MAC addresses for the interfaces in an Active/Standby failover pair.

In Active/Standby failover, the MAC addresses for the primary ASA 1000V are always associated with the active IP addresses. If the secondary ASA 1000V boots first and becomes active, it uses the burned-in MAC address for its interfaces. When the primary ASA 1000V comes online, the secondary ASA 1000V obtains the MAC addresses from the primary ASA 1000V. The change can disrupt network traffic.

You can configure virtual MAC addresses for each interface to ensure that the secondary ASA 1000V uses the correct MAC addresses when it is the active ASA 1000V, even if it comes online before the primary ASA 1000V. If you do not specify virtual MAC addresses, the failover pair uses the burned-in NIC addresses as the MAC addresses.


Note You cannot configure a virtual MAC address for the failover or Stateful Failover links. The MAC and IP addresses for those links do not change during failover.


To configure the virtual MAC address for an interface, perform the following steps:


Step 1 Open the Configuration > Device Management > High Availability > Failover > MAC Addresses tab.

Step 2 To edit an existing virtual MAC address entry, double-click the row for the interface whose MAC addresses you want to change. To add a new virtual MAC address entry, click Add.

The Add/Edit Interface MAC Address dialog box appears.

Step 3 Type the new MAC address for the active interface in the Active MAC Address field.

Step 4 Type the new MAC address for the standby interface in the Standby MAC Address field.

Step 5 Click OK.

Step 6 To delete a virtual MAC address entry, perform the following steps:

a. Click the interface to select the table row.

b. Click Delete.

c. Click OK.


Controlling Failover

This sections describes how to control and monitor failover and includes the following topics:

Forcing Failover

Disabling Failover

Restoring a Failed ASA 1000V

Forcing Failover

To force the standby ASA 1000V to become active, perform the following steps:


Step 1 Choose Monitoring > Properties > Failover > Status.

Step 2 Click one of the following buttons:

Click Make Active to make the ASA 1000V the active ASA 1000V.

Click Make Standby to make the other ASA 1000V in the pair the active ASA 1000V.


Disabling Failover

To disable failover, perform the following steps:


Step 1 Choose Configuration > Device Management > High Availability > Failover.

Step 2 Uncheck the Enable Failover check box.


Restoring a Failed ASA 1000V

To restore a failed ASA 1000V to an unfailed state, perform the following steps:


Step 1 Choose Monitoring > Properties > Failover > Status.

Step 2 Click Reset Failover.


Monitoring Active/Standby Failover


Note After a failover event, you should either restart ASDM or switch to another device listed in the Devices pane, then return to the original ASA 1000V to continue monitoring the device. This action is necessary because the monitoring connection does not become re-established when ASDM is disconnected from and then reconnected to the device.


Choose Monitoring > Properties > Failover to monitor Active/Standby failover.

Feature History for Active/Standby Failover

Table 7-2 lists the release history for this feature.

Table 7-2 Feature History for Active/Standby Failover

Feature Name
Releases
Feature Information

Failover support for the ASA 1000V

8.7(1)

The interface assigned to active/standby failover pairs for the ASA 1000V is GigabitEthernet0/2.