List are details for Failover triggers and Status of Firewalls
In Active/Active failover, failover can be triggered at the unit level if one of the following events occurs:
- The unit has a hardware failure.
- The unit has a power failure.
- The unit has a software failure.
- The no failover active or the failover active command is entered in the system execution space.
Failover is triggered at the failover group level when one of the following events occurs:
- Too many monitored interfaces in the group fail.
- The no failover active group group_id or failover active group group_id command is entered
You configure the failover threshold for each failover group by specifying the number or percentage of interfaces within the failover group that must fail before the group fails. Because a failover group can contain multiple contexts, and each context can contain multiple interfaces, it is possible for all interfaces in a single context to fail without causing the associated failover group to fail
Failover Behavior for Active/Active Failover
|A unit experiences a power or software failure||Failover||Become standby Mark as failed||Become active
Mark active as failed
|When a unit in a failover pair fails, any active failover groups on that unit are marked as failed and become active on the peer unit.|
|Interface failure on active failover group above threshold||Failover||Mark active group as failed||Become active||None.|
|Interface failure on standby failover group above threshold||No failover||No action||Mark standby group as failed||When the standby failover group is marked as failed, the active failover group does not attempt to fail over, even if the interface failure threshold is surpassed.|
|Formerly active failover group recovers||No failover||No action||No action||Unless configured with the preempt command, the failover groups remain active on their current unit.|
|Failover link failed at startup||No failover||Become active||Become active||If the failover link is down at startup, both failover groups on both units become active.|
|Stateful Failover link failed||No failover||No action||No action||State information becomes out of date, and sessions are terminated if a failover occurs.|
|Failover link failed during operation||No failover||n/a||n/a||Each unit marks the failover interface as failed. You should restore the failover link as soon as possible because the unit cannot fail over to the standby unit while the failover link is down.|
Determining Which Type of Failover to Use
The type of failover you choose depends upon your security appliance configuration and how you plan to use the security appliances.
If you are running the security appliance in single mode, then you can only use Active/Standby failover. Active/Active failover is only available to security appliances running in multiple context mode.
If you are running the security appliance in multiple context mode, then you can configure either Active/Active failover or Active/Standby failover.
- To provide load balancing, use Active/Active failover.
- If you do not want to provide load balancing, use Active/Standby or Active/Active failover.
Failover Configuration Feature Support
|Single Context Mode||No||Yes|
|Multiple Context Mode||Yes||Yes|
|Load Balancing Network Configurations||Yes||No|
|Failover of Groups of Contexts||Yes||No|
|Failover of Individual Contexts||No||No|
The security appliance supports two types of failover, regular and stateful. This section includes the following topics:
When a failover occurs, all active connections are dropped. Clients need to reestablish connections when the new active unit takes over.
When Stateful Failover is enabled, the active unit continually passes per-connection state information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. Supported end-user applications are not required to reconnect to keep the same communication session.
The state information passed to the standby unit includes the following:
•The Layer 2 bridge table (when running in transparent firewall mode).
•The HTTP connection states (if HTTP replication is enabled).
•The ISAKMP and IPSec SA table.
The information that is not passed to the standby unit when Stateful Failover is enabled includes the following:
•The HTTP connection table (unless HTTP replication is enabled).
•The user authentication (uauth) table.
•The routing tables. After a failover occurs, some packets may be lost our routed out of the wrong interface (the default route) while the dynamic routing protocols rediscover routes.
•State information for Security Service Modules.
Failover Feature Support by Platform
||Cable-Base Failover||LAN-Based Failover||Stateful Failover|
|ASA 5505 series adaptive security appliance||No||Yes||No|
|ASA 5500 series adaptive security appliance (other than the ASA 5505)||No||Yes||Yes|
|PIX 500 series security appliance||Yes||Yes||Yes|
ASA 5500 series adaptive security appliance failover times.