List are details for Failover triggers and Status of Firewalls

Failover triggers

In Active/Active failover, failover can be triggered at the unit level if one of the following events occurs:

  • The unit has a hardware failure.
  • The unit has a power failure.
  • The unit has a software failure.
  • The no failover active or the failover active command is entered in the system execution space.

Failover is triggered at the failover group level when one of the following events occurs:

  • Too many monitored interfaces in the group fail.
  • The no failover active group group_id or failover active group group_id command is entered

You configure the failover threshold for each failover group by specifying the number or percentage of interfaces within the failover group that must fail before the group fails. Because a failover group can contain multiple contexts, and each context can contain multiple interfaces, it is possible for all interfaces in a single context to fail without causing the associated failover group to fail

Failover Behavior for Active/Active Failover 

Failure Event
Active Group Action
Standby Group Action
A unit experiences a power or software failureFailoverBecome standby Mark as failedBecome active
Mark active as failed
When a unit in a failover pair fails, any active failover groups on that unit are marked as failed and become active on the peer unit.
Interface failure on active failover group above thresholdFailoverMark active group as failedBecome activeNone.
Interface failure on standby failover group above thresholdNo failoverNo actionMark standby group as failedWhen the standby failover group is marked as failed, the active failover group does not attempt to fail over, even if the interface failure threshold is surpassed.
Formerly active failover group recoversNo failoverNo actionNo actionUnless configured with the preempt command, the failover groups remain active on their current unit.
Failover link failed at startupNo failoverBecome activeBecome activeIf the failover link is down at startup, both failover groups on both units become active.
Stateful Failover link failedNo failoverNo actionNo actionState information becomes out of date, and sessions are terminated if a failover occurs.
Failover link failed during operationNo failovern/an/aEach unit marks the failover interface as failed. You should restore the failover link as soon as possible because the unit cannot fail over to the standby unit while the failover link is down.

Determining Which Type of Failover to Use

The type of failover you choose depends upon your security appliance configuration and how you plan to use the security appliances.

If you are running the security appliance in single mode, then you can only use Active/Standby failover. Active/Active failover is only available to security appliances running in multiple context mode.

If you are running the security appliance in multiple context mode, then you can configure either Active/Active failover or Active/Standby failover.

  • To provide load balancing, use Active/Active failover.
  • If you do not want to provide load balancing, use Active/Standby or Active/Active failover.

Failover Configuration Feature Support

Single Context ModeNoYes
Multiple Context ModeYesYes
Load Balancing Network ConfigurationsYesNo
Unit FailoverYesYes
Failover of Groups of ContextsYesNo
Failover of Individual ContextsNoNo

The security appliance supports two types of failover, regular and stateful. This section includes the following topics:

Regular Failover

Stateful Failover

Regular Failover

When a failover occurs, all active connections are dropped. Clients need to reestablish connections when the new active unit takes over.

Stateful Failover

When Stateful Failover is enabled, the active unit continually passes per-connection state information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. Supported end-user applications are not required to reconnect to keep the same communication session.

The state information passed to the standby unit includes the following:

NAT translation table.

TCP connection states.

UDP connection states.

The ARP table.

The Layer 2 bridge table (when running in transparent firewall mode).

The HTTP connection states (if HTTP replication is enabled).

The ISAKMP and IPSec SA table.

GTP PDP connection database.

The information that is not passed to the standby unit when Stateful Failover is enabled includes the following:

The HTTP connection table (unless HTTP replication is enabled).

The user authentication (uauth) table.

The routing tables. After a failover occurs, some packets may be lost our routed out of the wrong interface (the default route) while the dynamic routing protocols rediscover routes.

State information for Security Service Modules.

DHCP server address leases.

L2TP over IPSec sessions


Failover Feature Support by Platform

Cable-Base FailoverLAN-Based FailoverStateful Failover
ASA 5505 series adaptive security applianceNoYesNo
ASA 5500 series adaptive security appliance (other than the ASA 5505)NoYesYes
PIX 500 series security applianceYesYesYes

ASA 5500 series adaptive security appliance failover times.

Failover Condition
Active unit loses power or stops normal operation.800 milliseconds15 seconds45 seconds
Active unit main board interface link down.500 milliseconds5 seconds15 seconds
Active unit 4GE card interface link down.2 seconds5 seconds15 seconds
Active unit IPS or CSC card fails.2 seconds2 seconds2 seconds
Active unit interface up, but connection problem causes interface testing.5 seconds25 seconds75 seconds