Showing results for 
Search instead for 
Did you mean: 

Ask the Expert:Configuring, Troubleshooting & Best Practices on ASA & FWSM Failover

Community Manager
Community Manager

Read the bioWith Prashanth Goutham R.


Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Configuring, Troubleshooting & Best Practices on Adaptive Security Appliances (ASA) & Firewall Services Module (FWSM) Failover with Prashanth Goutham. 


Firewall Services Module (FWSM) is a high-performance stateful-inspection firewall that integrates into the Cisco® 6500 switch and 7600 router chassis. The FWSM monitors traffic flows using application inspection engines to provide a strong level of network security. Cisco ASA protects networks of all sizes with MultiScale performance and a comprehensive suite of highly integrated, market-leading security services.


Prashanth Goutham is an experienced support engineer with the High Touch Technical Support (HTTS) Security team, covering all Cisco security technologies. During his four years with Cisco, he has worked with Cisco's major customers, troubleshooting routing, LAN switching, and security technologies. He is also qualified as a GIAC Certified Incident Handler (GCIH) by the SANS Institute.

Remember to use the rating system to let Prashanth know if you have received an adequate response. 


Prashanth might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community forum shortly after the event. This event lasts through July 13, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

40 Replies 40

John Ventura
Community Manager
Community Manager

Hello Prashanth,

I have a quick question for you. Why it is recommended to have a switch in-between the Firewall pairs and not connect them directly though its going to work fine anyway?

thanks a lot,

- John

Hello John,

I believe you are talking about the Failover Lan Interface connectivity which can be of two types:

--- Back to Back.

--- With Intermediary Switch

I would say the second option is better as its easy to segment and isolate faults on a Production Network. Consider the below scenario:

Your firewalls are connected back to back with a crossover cable and you have a live firewall and you start experiencing failover related issues on your FO lan port. What would you do to determine if its a cable or a Firewall Interface issue and if an Interface issue which Interface? Cause if one Interface goes down it pulls down the Peer interface as well to line protocol down. This is tricky you would need to manually test all the components seperately using another directly connected device to see which component is faulty or replace all units to restore services.

In case of the second option we can clearly eliminate as the switch is inbetween. I think its also explained in the configuration guide here:

When  you use a crossover cable for the LAN failover link, if the LAN  interface fails, the link is brought down on both peers. This condition  may hamper troubleshooting efforts because you cannot easily determine  which interface failed and caused the link to come down.

Hope that helps. Have a good day !

Thanks Prashanth for detailed info.


Hello Prashanth,

please can you check/confirm if using a Cisco ASA Active/Standby clustering enviroment the SELF SIGNED GENERATED certificate used for SSL VPN remote access are replicated or NOT on the STANDBY unit ?

On the following doc there's indicate "the ASA's Local/onboard CA-generated certificates (used for SSL VPN remote access) are not replicated but testing on lab with version 8.4.4 the result is different: the self signed certificate of the active asa is replicated on the standby.

Q. Are digital certificates replicated in a  Active/Standby configuration?

A. Yes. Third-party digital certificates (ie. from Entrust, Verisign, Microdoft,etc)  that are installed on the Active ASA are replicated to the Standby ASA in an active/standby config.

However, the ASA's Local/onboard CA-generated certificates (used for SSL VPN remote access) are not replicated.

Hello Roberto,

The document is absolutely right the Certificates on the ASA get replicated with Bulk replication only and these are 3rd party certificates only and not the locally generated certificates which i have checked in previous versions. However i have not played around much on 8.4.4 which was just released and i dont have a reason to believe that it works differently on 8.4.4, i can check this up for you once i get into office in the morning.

Can you let me know the license you are on Active/Active or Active/Standby Failover ? Also what are the steps you took to test this and how sure are you that this was not exported to the other firewall ? Just to add i would assume the purpose of Self signed Certificate to be unique to each of the ASA's.