Active/Active And Active/Standby Failover - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Understanding Failover
Active/Active and Active/Standby Failover
This section describes each failover configuration in detail. This section includes the following topics:
•
•
•
Active/Standby Failover
This section describes Active/Standby failover and includes the following topics:
•
•
•
•
•
•
Active/Standby Failover Overview
Active/Standby failover lets you use a standby security appliance to take over the functionality of a failed
unit. When the active unit fails, it changes to the standby state while the standby unit changes to the
active state. The unit that becomes active assumes the IP addresses (or, for transparent firewall, the
management IP address) and MAC addresses of the failed unit and begins passing traffic. The unit that
is now in standby state takes over the standby IP addresses and MAC addresses. Because network
devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere
on the network.
For multiple context mode, the security appliance can fail over the entire unit (including all contexts)
Note
but cannot fail over individual contexts separately.
Primary/Secondary Status and Active/Standby Status
The main differences between the two units in a failover pair are related to which unit is active and which
unit is standby, namely which IP addresses to use and which unit actively passes traffic.
However, a few differences exist between the units based on which unit is primary (as specified in the
configuration) and which unit is secondary:
•
•
Cisco Security Appliance Command Line Configuration Guide
14-6
Active/Standby Failover, page 14-6
Active/Active Failover, page 14-9
Determining Which Type of Failover to Use, page 14-14
Active/Standby Failover Overview, page 14-6
Primary/Secondary Status and Active/Standby Status, page 14-6
Device Initialization and Configuration Synchronization, page 14-7
Command Replication, page 14-7
Failover Triggers, page 14-8
Failover Actions, page 14-8
The primary unit always becomes the active unit if both units start up at the same time (and are of
equal operational health).
The primary unit MAC addresses are always coupled with the active IP addresses. The exception to
this rule occurs when the secondary unit is active, and cannot obtain the primary unit MAC addresses
over the failover link. In this case, the secondary unit MAC addresses are used.
Chapter 14
Configuring Failover
OL-10088-01
Advertisement
Table of Contents
Troubleshooting
