ASA 5500 WAN failover MPLS/Internet using dual ASA's


I am putting togather a solution for a client. The client has an MPLS circuit and internet as a backup circuit. I understand that we can do WAN failover using ASA5510 appliance.Now, if i am adding dual ASA5510 active/standby mode, How do i automatically failover WAN circuits to standby firewall if both MPLS and Internet circuits are connecting to primary ASA5510. Should i connect MPLS circuit to ASA1 and Internet circuit to ASA2? Ideally, i want both circuits to connect to primary ASA5510 for automatic WAN failover. My concern is , if the primary ASA5510 fails which has WAN and Internet circuits connected , do i need to manually switch connection from primary to standy? The goal is to fully automate wan failover and asa failover .

ANy urgent response will be greatly appreciated


Shrikant Sundaresh
Cisco Employee

Hi Mustafa,

In a Failover setup, you would have the internet terminating on both the ASAs. In your case, the MPLS circuit and the internet should both terminate on both the ASAs.

Now consider that you have setup WAN failover, with Internet as backup. When the MPLS fails, you dont want the ASA failover to trigger.

So the MPLS interface should be exempted from the interfaces which are monitored for failover.

Hope this helps.


Thanks alot for your explanation. The client only intrerested to invest in single MPLS and Internet circuit so i will not have separate Internet and MPLS circuits terminating on secondry ASA. Can i add a layer 3 switch and terminate both ASA's on the L3 switch and have the L3 switch do routing based on the ASA state?


The concept is very basic. You are going to have two WAN links on one ASA, per WAN interface, you will need to have a secondary IP.

If the primary Unit fails because of a hardware/software issue, (Interface, software crash), failover is going to be triggered. If the tracked object on the ASA fails to respond a request, the backup default gateway is going to take effect without having the units to failover.

Only if there is a hardware/software problem or a connectivity issue between the Units, they are going to do failvoer. Only if the tracket object fails to reply to the ICMP echo request, the SLA is going to be triggered and the backup default gateway is going to take over.

The supported scenario for failover is the one that appears on cisco white papers:

If you have further queries, let us know.



My only concern is , how the WAN/internet  circuits will move over to failover firewall automatically if the wan connections connected to primary firewall only. I understood the concept of failover but nore sure how the circuits will failover to secondry firewall.

If you get the failover concept, you know that the active IPS are going to be passed to the secondary unit and the standby IPS are going to the primary Unit, so basically you will not be able to feel when a failover happened until you do a show failvoer.

If you have any questions, let me know.


