topic Re: Link:- http://www.cisco.com/c in Network Security

cisco asa HA failover link

secureIT — Tue, 12 Mar 2019 05:13:59 GMT

Hi,

I have one interface Eth2 for failover link (statless) and another interface Eth3 stateful failover.

If I remove the failover link Eth2 OR stateful lin Eth3 from Active firewall, will it failover to Standby ?

From the cisco document, i read that, failover will not happpen if failover messages are coming from other interfaces..

Is is true ?? pls confirm.

Have you seen situations, where failover link causes failover to happen ??

In this situation, failover

Karsten Iwen — Mon, 15 Dec 2014 14:50:52 GMT

In this situation, failover should not happen because the standby ASA is not connected to the network in a better way than the active ASA. But: If the failover link fails, you could end up in split-brain situations where both ASAs get active. Thats the reason this link is sometimes configured as redundant interfaces to make this important link more reliable.

Link:- http://www.cisco.com/c

secureIT — Mon, 15 Dec 2014 17:31:22 GMT

Link:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_overview.html

The ASA determines the health of the other unit by monitoring the failover link. When a unit does not receive 3 consecutive hello messages on the failover link, the unit sends interface hello messages on each interface, including the failover interface, to validate whether or not the peer interface is responsive. The action that the ASA takes depends upon the response from the other unit. See the following possible actions:

-- If the ASA receives a response on the failover interface, then it does not fail over.

-- If the ASA does not receive a response on the failover link, but it does receive a response on another interface, then the unit does not failover. The failover link is marked as failed. You should restore the failover link as soon as possible because the unit cannot fail over to the standby while the failover link is down.

This says that, even if the failover link goes down, the failover will not happen because the failover messages can be received on the other interfaces like inside and outside.

Can you please clarify on this...With Gns3, both are becoming Active, but as per Cisco, it should not.!!!!!

Please mark this threas as

secureIT — Tue, 16 Dec 2014 06:40:48 GMT

Please mark this threas as resolved.

Here is the explanation for my doubt..

Failover Behavior
Failure Event	Policy	Active Action	Standby Action	Notes
Failover link failed during operation	No failover	Mark failover interface as failed	Mark failover interface as failed	You should restore the failover link as soon as possible because the unit cannot fail over to the standby unit while the failover link is down.
Failover link failed at startup	No failover	Mark failover interface as failed	Become active	If the failover link is down at startup, both units become active.
Stateful Failover link failed	No failover	No action	No action	State information becomes out of date, and sessions are terminated if a failover occurs

Hi karsten,

Pranav Gade — Wed, 04 Nov 2015 05:20:35 GMT

Hi karsten,

One question so if failover link fails it will not trigger failover and both asa will go in active active state. If this happen then what will be behaviour of asa? Connection will intrupt?

Thanks in advance

Re: Link:- http://www.cisco.com/c

vaishar3 — Mon, 13 Jan 2020 14:28:39 GMT

Hi Rajesh,

There is a catch here.

1.If you only have standby ip address configured for failover interface and no standby ip address for any other data interface,as soon as the fail over link goes down,both units will be active and it would be SPLIT BRAIN.

2.In case you have standby ip addresses configured for all other data interfaces as well apart from failover link,the failover would not happen and the primary unit would still retain the active role.

Hope this helps.