Version 4.1 - 5.1.i Failover options
After the last two thin sections, it's refreshing to have some more meat on the bone in this one. Some question about failover is likely to be on the exam.
The ASA supports two failover modes: Active/Active and Active/Standby. In Active/Standby only the Active firewall passes traffic. The standby unit does not actively pass traffic. You can use this in single or multiple context mode. In Active/Active failover you must use multiple context mode - and both ASAs can pass network traffic. You divide your contexts into 2 failover groups. One group is active on the first ASA and the other group is active on the second ASA.
Both failover modes support stateful or stateless failover.
Hardware requirements:
+ Same model
+ Same number and types of interfaces
+ Same modules installed (if any)
+ Same RAM installed
Software requirements:
+ Same firewall mode (routed or transparent)
+ Same context mode (single or multiple)
They must also have the same major and minor software version. However, you can temporarily use different versions of the software during an upgrade process. [Don't go too far apart in versions or it really won't work.]
There is failover and stateful failover.
The failover link communicates the following information:
- The unit state (active/standby)
- Power status
- Hello messages
- Network link status
- MAC address exchange
- Configuration replication and synchronization
The stateful failover link is used to communicate state information.
The failover link is configured with "failover lan interface" and the stateful failover link uses "failover link" for its configuration.
"To allow HTTP connections to be included in the state information replication, you need to enable HTTP replication. Because HTTP connections are typically short-lived, and because HTTP clients typically retry failed connection attempts, HTTP connections are not automatically included in the replicated state information."
failover replication http
Active/Standby Failover Configuration STEPS (note steps are fertile ground for drag-and-drop questions)
1. Select the failover link
2. Assign failover IP addresses
3. Set the failover key (optional)
4. Designate the primary appliance
5. Enable the stateful failover (optional)
6. Enable failover globally
7. Configure failover on the secondary appliance
Active/Active Failover Steps
1. Select the failover link
2. Assign failover interface IP addresses
3. Set the failover key (optional)
4. Designate the primary appliance
5. Enable the stateful failover (optional)
6. Set up failover groups
7. Assign failover-group membership
8. Assign interface IP addresses
9. Set up asymmetric routing (optional)
10. Enable failover globally
11. Configure failover on the secondary appliance
Note the ASDM has a wizard for this - HA/Scalability Wizard.
One last thing about failover - you're going to want to know this command:
asa(config)# prompt hostname context priority state
In the lab and IRL, you want this displayed so you know which device you're using at a glance.