https://community.cisco.com/t5/network-security/asa-failover/m-p/3214231#M1021124 <P>I don't have a diagram, sorry!&nbsp;</P> <P>&nbsp;</P> <P>Hmm, that's what I thought but I got confused by this post <A href="https://supportforums.cisco.com/t5/firewalling/best-practice-for-asa-active-standby-failover/td-p/2565068&nbsp;" target="_blank">https://supportforums.cisco.com/t5/firewalling/best-practice-for-asa-active-standby-failover/td-p/2565068&nbsp;</A></P> <P>&nbsp;</P> <P>So, if there are no monitoring, tracking, or policy configured on the ASAs and one of the interfaces on the active FW were to fail, the firewalls will not failover?&nbsp;</P> <P>&nbsp;</P> <P>Best, ~zK&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 09 Nov 2017 22:13:31 GMT zekebashi 2017-11-09T22:13:31Z https://community.cisco.com/t5/network-security/asa-failover/m-p/3214123#M1021104 <P>Hello,&nbsp;</P> <P>&nbsp;</P> <P>I have a pair of ASR1002s&nbsp; configured with HSRP. These ASRs are not physically connected. Each ASR has an active Internet &amp; WAN link to the same ISP.&nbsp; Each ASR connects to a&nbsp; L2 downstream switch and each switch connects to an ASA. The ASAs are configured with Failover.&nbsp;HSRP is configured on the link connected to the ISP and another HSRP configured for the link connected to the L2 switches.</P> <P>There no tracking nor SLA configured on the ASAs.&nbsp;</P> <P>&nbsp;</P> <P>Primary ASR ----- ISP&nbsp;</P> <P>Primary ASR ---- L2 switch&nbsp;</P> <P>L2 switch ------ Primary ASR&nbsp;</P> <P>L2 switch ------ Primary ASA&nbsp;</P> <P>&nbsp;</P> <P>Primary ASA --FO--- Standby ASA</P> <P>Primary ASA --- L2 switch&nbsp;</P> <P>&nbsp;</P> <P>Standby&nbsp;ASR ----- ISP&nbsp;</P> <P>Standby&nbsp;ASR ---- L2 switch&nbsp;</P> <P>L2 switch ------ Standby ASR&nbsp;</P> <P>L2 switch ------ Standby ASA&nbsp;</P> <P>&nbsp;</P> <P>Standby ASA --FO--- Primary&nbsp; ASA</P> <P>Standby&nbsp; ASA --- L2 switch&nbsp;</P> <P>&nbsp;</P> <P>My question is, if the primary/active ASR were to fail,&nbsp; will the standby ASA become the active firewall? I am thinking that since the ISP will be using the HSRP VIP to forward traffic to the standby ASR so traffic will be flowing through the standby ASR downstream to L2 switch and standby ASA!&nbsp;</P> <P>&nbsp;</P> <P>Thanks in advance.&nbsp;</P> <P>~zK&nbsp;</P> Fri, 21 Feb 2020 14:42:40 GMT https://community.cisco.com/t5/network-security/asa-failover/m-p/3214123#M1021104 zekebashi 2020-02-21T14:42:40Z https://community.cisco.com/t5/network-security/asa-failover/m-p/3214170#M1021115 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/302926">@zekebashi</a></P> <P>&nbsp;If you could provide a simple draw about the topology would be easier. But, the answer is no. Firewall will not failover due change on the HSRP.&nbsp;</P> <P>&nbsp;What trigger ASA failover is a problem on the Primary ASA or if the link between then drops and keep alive stops.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>-If I helped you somehow, please, rate it as useful.-</P> Thu, 09 Nov 2017 20:16:32 GMT https://community.cisco.com/t5/network-security/asa-failover/m-p/3214170#M1021115 Flavio Miranda 2017-11-09T20:16:32Z https://community.cisco.com/t5/network-security/asa-failover/m-p/3214231#M1021124 <P>I don't have a diagram, sorry!&nbsp;</P> <P>&nbsp;</P> <P>Hmm, that's what I thought but I got confused by this post <A href="https://supportforums.cisco.com/t5/firewalling/best-practice-for-asa-active-standby-failover/td-p/2565068&nbsp;" target="_blank">https://supportforums.cisco.com/t5/firewalling/best-practice-for-asa-active-standby-failover/td-p/2565068&nbsp;</A></P> <P>&nbsp;</P> <P>So, if there are no monitoring, tracking, or policy configured on the ASAs and one of the interfaces on the active FW were to fail, the firewalls will not failover?&nbsp;</P> <P>&nbsp;</P> <P>Best, ~zK&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 09 Nov 2017 22:13:31 GMT https://community.cisco.com/t5/network-security/asa-failover/m-p/3214231#M1021124 zekebashi 2017-11-09T22:13:31Z https://community.cisco.com/t5/network-security/asa-failover/m-p/3214234#M1021131 <P>Hi,<BR /><BR />That is correct, you need at least have monitoring on interface for the failover to happen in ASA.<BR />Cant see the link, it seems to be broken for me.</P> <P><BR />br, Micke</P> Thu, 09 Nov 2017 22:20:45 GMT https://community.cisco.com/t5/network-security/asa-failover/m-p/3214234#M1021131 mikael.lahtela 2017-11-09T22:20:45Z https://community.cisco.com/t5/network-security/asa-failover/m-p/3214239#M1021141 Failover Triggers<BR />The unit can fail if one of the following events occurs:<BR />• The unit has a hardware failure or a power failure.<BR />• The unit has a software failure.<BR />• Too many monitored interfaces fail.<BR />• The no failover active command is entered on the active unit or the failover active command is<BR />entered on the standby unit.<BR /><BR /><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_standby.pdf" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_standby.pdf</A><BR /><BR />br, Micke Thu, 09 Nov 2017 22:24:34 GMT https://community.cisco.com/t5/network-security/asa-failover/m-p/3214239#M1021141 mikael.lahtela 2017-11-09T22:24:34Z https://community.cisco.com/t5/network-security/asa-failover/m-p/3214240#M1021153 <P>That clears the confusion.&nbsp;Thank you!&nbsp;</P> <P>&nbsp;</P> <P>Best, ~zK&nbsp;</P> Thu, 09 Nov 2017 22:25:45 GMT https://community.cisco.com/t5/network-security/asa-failover/m-p/3214240#M1021153 zekebashi 2017-11-09T22:25:45Z