List are details for Failover triggers and Status of Firewalls

Failover triggers

In Active/Active failover, failover can be triggered at the unit level if one of the following events occurs:

  • The unit has a hardware failure.
  • The unit has a power failure.
  • The unit has a software failure.
  • The no failover active or the failover active command is entered in the system execution space.

Failover is triggered at the failover group level when one of the following events occurs:

  • Too many monitored interfaces in the group fail.
  • The no failover active group group_id or failover active group group_id command is entered

You configure the failover threshold for each failover group by specifying the number or percentage of interfaces within the failover group that must fail before the group fails. Because a failover group can contain multiple contexts, and each context can contain multiple interfaces, it is possible for all interfaces in a single context to fail without causing the associated failover group to fail

Failover Behavior for Active/Active Failover 

Failure Event
Active Group Action
Standby Group Action
A unit experiences a power or software failure Failover Become standby Mark as failed Become active
Mark active as failed
When a unit in a failover pair fails, any active failover groups on that unit are marked as failed and become active on the peer unit.
Interface failure on active failover group above threshold Failover Mark active group as failed Become active None.
Interface failure on standby failover group above threshold No failover No action Mark standby group as failed When the standby failover group is marked as failed, the active failover group does not attempt to fail over, even if the interface failure threshold is surpassed.
Formerly active failover group recovers No failover No action No action Unless configured with the preempt command, the failover groups remain active on their current unit.
Failover link failed at startup No failover Become active Become active If the failover link is down at startup, both failover groups on both units become active.
Stateful Failover link failed No failover No action No action State information becomes out of date, and sessions are terminated if a failover occurs.
Failover link failed during operation No failover n/a n/a Each unit marks the failover interface as failed. You should restore the failover link as soon as possible because the unit cannot fail over to the standby unit while the failover link is down.

Determining Which Type of Failover to Use

The type of failover you choose depends upon your security appliance configuration and how you plan to use the security appliances.

If you are running the security appliance in single mode, then you can only use Active/Standby failover. Active/Active failover is only available to security appliances running in multiple context mode.

If you are running the security appliance in multiple context mode, then you can configure either Active/Active failover or Active/Standby failover.

  • To provide load balancing, use Active/Active failover.
  • If you do not want to provide load balancing, use Active/Standby or Active/Active failover.

Failover Configuration Feature Support

Active/Active Active/Standby
Single Context Mode No Yes
Multiple Context Mode Yes Yes
Load Balancing Network Configurations Yes No
Unit Failover Yes Yes
Failover of Groups of Contexts Yes No
Failover of Individual Contexts No No

The security appliance supports two types of failover, regular and stateful. This section includes the following topics:

Regular Failover

Stateful Failover

Regular Failover

When a failover occurs, all active connections are dropped. Clients need to reestablish connections when the new active unit takes over.

Stateful Failover

When Stateful Failover is enabled, the active unit continually passes per-connection state information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. Supported end-user applications are not required to reconnect to keep the same communication session.

The state information passed to the standby unit includes the following:

NAT translation table.

TCP connection states.

UDP connection states.

The ARP table.

The Layer 2 bridge table (when running in transparent firewall mode).

The HTTP connection states (if HTTP replication is enabled).

The ISAKMP and IPSec SA table.

GTP PDP connection database.

The information that is not passed to the standby unit when Stateful Failover is enabled includes the following:

The HTTP connection table (unless HTTP replication is enabled).

The user authentication (uauth) table.

The routing tables. After a failover occurs, some packets may be lost our routed out of the wrong interface (the default route) while the dynamic routing protocols rediscover routes.

State information for Security Service Modules.

DHCP server address leases.

L2TP over IPSec sessions


Failover Feature Support by Platform

Cable-Base Failover LAN-Based Failover Stateful Failover
ASA 5505 series adaptive security appliance No Yes No
ASA 5500 series adaptive security appliance (other than the ASA 5505) No Yes Yes
PIX 500 series security appliance Yes Yes Yes

ASA 5500 series adaptive security appliance failover times.

Failover Condition
Minimum Default Maximum
Active unit loses power or stops normal operation. 800 milliseconds 15 seconds 45 seconds
Active unit main board interface link down. 500 milliseconds 5 seconds 15 seconds
Active unit 4GE card interface link down. 2 seconds 5 seconds 15 seconds
Active unit IPS or CSC card fails. 2 seconds 2 seconds 2 seconds
Active unit interface up, but connection problem causes interface testing. 5 seconds 25 seconds 75 seconds