Hi Karsten,

Thanks for the answer, the problem is that, WAN interfaces share the same IPs on both firewalls. So will it not be a conflict. There is not Standby IP in this case.

If you have a working HA-setup. they should not share the IP. And if it's working, it's likely that they don't. But if you haven't configured standby IPs, then you probably don't have a HA-setup.

Can you share the output of "show failover"?

On my LAN (Inside Interface) IP address is configured with standby IP however not in case of WAN interface.

its like this for FW 1 and same for FW 2

interface Ethernet0/0
nameif outside-1
security-level 0
ip address 120.138.145.1 255.255.255.240
!
interface Ethernet0/1
nameif inside-lan
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

output to sh fail-over is 

sharing limited info:

This host: Primary - Active
Active time: 10836994 (sec)
Interface outside-1 (120.138.145.1): Normal (Not-Monitored)
Interface inside-lan (192.168.1.1): Normal (Monitored)
slot 1: empty
Other host: Secondary - Standby Ready
Active time: 1057874 (sec)
Interface outside-1 (0.0.0.0): Normal (Not-Monitored)
Interface inside-lan (192.168.1.2): Normal (Monitored)
slot 1: empty

Ok, that's fine. In your setup, the secondary ASA only uses the public IP when it gets active but not while in standby. The config is synced by the active ASA to the standby ASA which means they have to look the same when you do a show run. But that doesn't show you which IP is actually used. The actual IP is shown in the "show failover". There you see that the standby ASA has an IP of 0.0.0.0 which means no ip.

Do you have a spare IP in your outside network? Then you should assign it to the standby ASA by changing the interface-config on the active ASA to:

interface Ethernet0/0
 ip address 120.138.145.1 255.255.255.240 standby 120.138.145.x

Thanks Karsten. Problem is that i dont have any further more spare IPs available to give as standby.  So, if i will not give the Standby IP will i face any issue in HA failover?

Thanks man. But tell me, if in case switch is up and my ISP link is going down which is terminating on the same switch. Still my those Ports are up which are between switch and firewalls. State of the firewall interface will not change in that case. Correct? Then what will happen to failover?

Right, for this scenario you have to configure "ip sla" to track an IP on the internet and change your routes based on this.

I have two default routes on which primary route have Track configured already icmpecho to PE IP.

So fail-over scenarios will be like this:

1. ISP 1 is down, FW1 will use ISP 2 for reaching out to internet but no HA fail over will take place because Outside Interface of ISP 1 on FW is still UP .
2. If switch 1 is down then only fail over to FW 2 will take place.

And if this is the correct scenario does that means ISP link down will not trigger FW2 to takeover the role of primary? 

Or are you suggesting me to track the interface as well?

Failover will only happen when the standby ASA is connected to the network in a better way then the active ASA.

If Switch1 fails, then ASA 1 will switch over to the secondary ISP but no ASA failover will happen because the standby ASA has no better connection to the network then the active ASA.

Ah great Answer. Because if Switch 1 will fail that means each port on both firewalls will go down and still FW 1 will stay as primary. 

So in that case if we want role change of firewall due to WAN issue, what can be possible scenario?

That is a scenario that is not addressed by HA as both ASAs are equally connected to both providers. In this case you have to change your routing manually to use the second ISP while the first has problems. That is always handled by the active ASA.

Ok, but in case of LAN Inside interface failure? HA will take place . Correct?