Failover in ASA

Features of Hardware similarities Requirements :

  1. Model Number
  2. Type of Number Interface
  3. RAM
  4. SSM (If any)
  5. Flash (may vary) but should have the capacity
  6. Same amount of communication limitations

Software Requirements :

  1. Same major and minor version (Supports for different patch release)
  2. Same mode of operation (Router/Transparent) (Single/Multiple)
  3. Liscense Requirement : Below OS 8.3.1 they should have identical liscenses however above 8.3.1 Lisences are inherited from active ASA, Lisences are combined to form failover cluster liscenses.

Failover Health Monitoring :

Unit Health Monitoring : Hello are sent over the failover link.

  • Note : Time between two packets of hello – Hello Time
  • Time between gap of no hello packets – Hold Time
  • Default Hello time – 15 sec and Hold Time – 15 sec
  • If three consecutive hello message are not received, it will send hello over all interfaces.

Conditions for failover :

  • If a response is received a failover interface it does not failover.
  • If a response is not received on failover link but response on any other interface then failover does not failover and it is marked as down.
  • If no response is received in any of the interface the standby becomes active and it classifies other interface as failed.

Interface health monitoring :

  • By default physically interface are monitored
  • Upto 250 interfaces can be monitored
  • If response is not received on a particular interface for half of configured time, it performs series of test.
  • Link States : If link is up, then next test if link is down the interface has gone down
  • Network Activity Test : Clears Rx counters, then it waits for packets to be received / If Rx counters is incremented, Goes for next test / If Rx counter is not incremented, int is down.
  • ARP Test : It takes last two entries of ARP table then performs ARP based on that information / If reply is received, then goes for next text / if reply is not received, int is down.
  • Broadcast Ping Test : It will send ping request out of interface. If reply is received, link is up / If reply is not received, interface is marked as failed.
  • Interface Policy : The min no of interface test fail for the failover. The default is 1.

Replication on failover :

Information Replicated :

  • NAT Table entries
  • ARP Table entries
  • MAC Address Table
  • Tcp/Udp connection Table (telnet Replication)
  • ISAKMP/IPSEC, Security Association DB, Xlate Table

Information not Replicated :

  • User Authentication (uauth)
  • DHCP Server Address
  • Phone Proxy
  • SSM Activity (Till 8.3)
  • Dynamic Routing Protocol
  • DHCP Address Lease Time
  • HTTP (by default but we can replicate using http replication)

Was this article helpful?

Yes No

Related Articles

Leave A Comment?