Cisco ASA Active/Active Failover Configuration

Active/Active failover is only available to security appliances in multiple context mode. In an Active/Active failover configuration, both security appliances can pass network traffic.

In Active/Active failover, you divide the security contexts on the security appliance into failover groups. A failover group is simply a logical group of one or more security contexts. You can create a maximum of two failover groups on the security appliance. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default.
We have already seen the configuration for Active/Standby failover in the previous article. This article focuses on how to configure an Active/Active Failover configuration on ASA Security Appliance.

Network Diagram 
(Physical Topology)
Active/Active Failover Physical Network Diagram
(Logical Topology)
Active/Active Failover Logical Network Diagram

You can download the GNS3 lab for this scenario from here
ASA Active-Active Failover.rar

Now let's dive into the configuration. To configure ASA Security Appliance for Active/Active Failover, first you need change the firewall mode to 'multiple' and configure contexts.

! Enable auto generation of mac-address for shared physical interfaces

mac-address auto

! enable the physical interfaces

interface GigabitEthernet0
no shutdown
interface GigabitEthernet1
no shutdown
interface GigabitEthernet2
no shutdown

! Create and configure the contexts

context CTX-1
  allocate-interface GigabitEthernet0
  allocate-interface GigabitEthernet1
  config-url disk0:/CTX-1
context CTX-2
  allocate-interface GigabitEthernet0
  allocate-interface GigabitEthernet2
  config-url disk0:/CTX-2

Starting on the unit that will be the primary, and with multiple mode and context already in place.


! Enable automatic assignment of private MAC address to each shared context interface

mac-address auto

! Create the first of the two failover groups

ASA1(config)# failover group 1

! Tell the failover system that the primary unit should be
! active for any contexts in this "failover group #1"

ASA1(config-fover-group)# primary

! Optionally, tell the system to take over the active role
! 2 minutes after a reboot by the primary unit for this group.

ASA1(config-fover-group)# preempt 120

! Do the same for failover group #2

ASA1(config)# failover group 2

! Tell the failover system that the secondary unit should be
! active for any contexts in this "failover group #2"
ASA1(config-fover-group)# secondary

! Request a preempt 2 minutes after reboot by the secondary unit for this group

ASA1(config-fover-group)# preempt 120

! By default all the contexts belongs to failover group 1.
! Tell the system that each of the contexts are assigned
! to 1 of the 2 failover groups

ASA1(config)# context CTX-1
ASA1(config-ctx)# join-failover-group 1

ASA1(config)# context CTX-2
ASA1(config-ctx)# join-failover-group 2

! Tell this physical box its "priority" or title (Primary or secondary).
! This priority (name) never changes for this physical unit

ASA1(config)# failover lan unit primary

! prepare the failover interfaces (the LAN fail and stateful link)

ASA1(config)# interface GigabitEthernet3
ASA1(config-if)# no shutdown
ASA1(config)# interface GigabitEthernet4
ASA1(config-if)# no shutdown

! configure the names and IP addresses for the 2 failover connections

ASA1(config)# failover lan interface LAN_FAIL GigabitEthernet3
ASA1(config)# failover link LINK_FAIL GigabitEthernet4
ASA1(config)# failover interface ip LAN_FAIL standby
ASA1(config)# failover interface ip LINK_FAIL standby

! set the prompt to include which context (if any) we are working in.
! Currently we are in the  "system" (top level) configuration area.

prompt hostname context

! change from the system execution space to the context CTX-1 in order to add the standby addresses

changeto context CTX-1

! Configure context interfacees

interface GigabitEthernet0
 nameif OUTSIDE
 security-level 0
 ip address standby
interface GigabitEthernet1
 nameif INSIDE
 security-level 100
 ip address standby
! Configure a default route for outgoing traffic
route OUTSIDE 1

  ! Change from CTX-1 and move to the context of CTX-2 in order to do the interfac configuration of that virtual firewall

changeto context CTX-2

interface GigabitEthernet0
 nameif OUTSIDE
 security-level 0
 ip address standby
interface GigabitEthernet2
 nameif DMZ
 security-level 50
 ip address standby 10.0.0.

! Configure a default route for outgoing traffic

route OUTSIDE 1

!move back to the system execution space

changeto system

!turn on the failover


! save the system config, and all the context individual configs at the same time

write memory all

ASA1 is now seeing if there is an active failover devices for the 2 groups and when it see's that there isn't one, it will go active for both groups.

Moving over to  Physical ASA2

! Change the firewall mode to 'muultiple'
CiscoASA(config)# mode multiple

! tell this ASA what priority (title) it will have, primary or secondary

ASA2(config)# failover lan unit secondary

! Make sure the failover interface is up
interface GigabitEthernet3
no shutdown

! define the failover interface name and IPs

ASA2(config)# failover lan interface LAN_FAIL GigabitEthernet3
ASA2(config)# failover interface ip LAN_FAIL standby

! turn on the failover



  1. Hi Prashant,

    Really informative post. I recently cleared my CCNA Securitytest and there i read about this term, prior i had no idea what this is all about till i read this atleast i know that it is sort of same as HSRP/VRRP/GLBP (mainly in term of failover) functinality in ASA.

  2. IN THE SECOND FIREWALL, you would need to put failover lan unit secondary
    Also ts not failover link , should be failover lan interface.I guess you mistyped it

  3. Thanks Ashwin for reporting the typo error. Now it's been corrected.


Post a comment

Popular posts from this blog

Anyconnect SSL-Client VPN with Self-signed Certificate on Cisco ASA

Filtering Routes in BGP using Route-maps and Prefix-list

Open Shortest Path First (OSPF)

IKEv2 IPsec Site-to-Site VPN configuration on Cisco ASA 8.4(x)

IPsec VPN as a Backup for Point-to-Point Link using IP SLA

Border Gateway Protocol (BGP)

Bypassing Proxy Server in Google Chrome

Cisco ASA Active/Standby Failover Configuration