High Availability in ASA

If you have deployed the ASA firewall in your network, and your network needs to be available 24/7, then you need to consider the high availability option in ASA.

So, what is High Availability (HA) in ASA?

If the network has a single ASA, and due to some reason that ASA goes down, then there will be a complete outage in your network, which means financial loss depending on how long the ASA remains down. So, to avoid this singe point of failure, we can deploy two ASAs in HA mode. We can configure ASAs in either of the two HA modes mentioned below.

  1. Active/Standby Mode: In this mode, Only one ASA would be delivering all the traffic(Active), and the other ASA would be just sitting idle(standby) and waiting for to take over the active role. So, this  mode is called as Active/standby mode.
  2. Active/Active Mode:  In this mode, both the ASAs would be delivering the traffic,  that means both the ASAs are in Active mode.

Active/Standby Mode: 

We need two identical ASA firewalls (hardware and software version should be same) for configuring them in HA. We need to take the console access to both the firewalls to configure HA related commands first. Once both the pairs are in HA, we need to configure other commands from Active unit only. If we try to configure from standby unit, then it will though an warning that “configuration will not be saved in standby unit”.

Terminologies used in HA configuration:

  • Primary and Secondary Firewall: While configufing HA, we configure one firewall as Primary (failover lan unit primary),  and the other firewall as secondary (failover lan unit secondary).
  • Active and Standby Firewall : The firewall can be in active or standby mode. When we configure the HA for the first time, primary unit will be the active firewall, and the secondary unit will be standby unit. When the active unit fails, the secondary will be the new active unit. if primary comes up after failure, then it will be the standby unit. As you see active/standby state changes based on the situation. However, the primary and secondary firewalls are decided based on the firewall configuration.
  • LAN failover link : LAN failover link is the dedicated connection between both the firewalls which is used to replicate/sync the configuration from active to secondary. This link is also  used to send the keep-alive/hello messages, unit state and network link state (up/down) between both the units.
  • Stateful failover link:





Leave a Reply

Your email address will not be published.