topic ASA – Line Protocol status and Failover in Network Security

ASA – Line Protocol status and Failover

Cody Ridge — Mon, 11 Mar 2019 19:38:26 GMT

Hello,

I am looking for some confirmation on the conditions that will produce ASA failover in an Active/Standby configuration. Primarily, what changes in the Line Protocol status of the monitored interface on the Active ASA will force a failover to the Standby ASA?

In the attached diagram I have 2 ASAs connected to 2 Routers

My questions are as follows:

If the Primary Router loses power and/or fails, will the Primary Active ASA failover to the Secondary Standby ASA?

If the cable is unplugged from the FE1 port on the Primary router, will the Primary Active ASA failover to the Secondary Standby ASA?

If the FE1 port on the Primary Router fails, will the Primary Active ASA failover to the Secondary Standby ASA?

Thank you for your assistance.

Re: ASA – Line Protocol status and Failover

Jennifer Halim — Fri, 21 Jan 2011 16:49:27 GMT

ASA failover uses keepalive between the ASA interfaces to failover from active to standby firewall.

It is actually monitoring the ASA interfaces, not the other device interfaces.

Base on your diagram, I am assuming that the ASA and the router fe1 interfaces are connected via switch.

To answer your question:

1) If the primary router is down, the ASA will not failover to the standby firewall. As it is not monitoring the interfaces of other devices connected in the same subnet.

2) If the router fe1 is connected to a switch, and if it's unplugged, no, the ASA will not failover from active to standby. Same reason as above.

3) Similarly, if the router fe1 fails, again, the ASA will not failover for the same reason as above.

The answer to all your questions is NO. This is assuming that they are all connected to a switch, not directly connected to each other.

The ASA failover will be triggered if the ASA is down, if the ASA interface is unplugged from the firewall and if the ASA interface fails and it can no longer receive or ack on the failover keepalive.

Hope that answers your question.

Re: ASA – Line Protocol status and Failover

Cody Ridge — Fri, 21 Jan 2011 17:11:56 GMT

Thank you Jennifer,

The primary ASA and primary Router will actually be directly connected.

No physical switches will be between the ASAs and routers.

o1 int on primary ASA will connect to FE1 switchport on the primary router.

Once connected the interface status on the primary ASA will be "Interface Ethernet0 "xx", is up, line protocol is up"

If the cable is unplugged from FE1 on the primary router, will the ASA interface status change to "line protocol is down"?

If the interface line protocol is down, will the primary ASA failover to the secondary ASA?

Re: ASA – Line Protocol status and Failover

Jennifer Halim — Sat, 22 Jan 2011 17:24:51 GMT

If the router fails, if they are directly connected to the ASA, it should show that the ASA interface which is connected to the router is also failing, hence, the failover will take place.

If the router interface is unplugged and down, and if they are directly connected, it will also show that the ASA line protocol is down, hence triggers the failover.

Here is how ASA is checking the interface failover:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1079057

Hope that helps.