What is Active/Active Failover on the ASA?

Quick Definition of a Failover: Failover describes any method of protecting a computer system or network by having backup equipment that's ready to take over in case the first piece of equipment fails. Failover applies to many things: applications, servers, systems, hardware components, networks, cybersecurity, and more.

Quick Definition of Active/Active Failover: Active/Active Failover is a modified approach to failover that uses equipment more efficiently. In Active/Active Failover, the system or network that's being secured is divided in half, and the two pieces of equipment take responsibility for half, while still standing by to provide failover for the other part. Active/Active Failover is defined by having two pieces of equipment in active status for one portion of the network and in standby for the other portion.

Quick Explanation of an Active/Active Failover on the ASA: On the ASA, with the right settings enabled and configurations made, failover high availability can be used to do something called active/active failover. We're going to look at some of the benefits of doing active/active failover and, in measurable terms, how to identify which of our physical firewalls is currently active for a given failover group.

An Overview of Active/Active Failover [VIDEO]

In this video, Keith Barker covers the benefits of Active/Active failover on Cisco ASA firewalls within a system that has firewall redundancy. He also discusses how you can use failover groups to accomplish this. Finally, he describes how you can verify and change the failover status of a firewall at the command line.

What's the Benefit of Active/Active Failover on a Cisco ASA Firewall?

The benefit of Active/Active Failover on a Cisco ASA firewall is that it allows you to use your equipment more efficiently, since the alternative is one of your devices simply sitting passively waiting for the other to fail.

If you want failover in your networks, it's going to require two. Two of what? Two of everything — everything that you want to be redundant. In the case of firewalls, you'll need two physical firewalls. Traditionally, we'd call one the active and the other the standby.

If you were a firewall and you were picking jobs, standby is the one you'd want. Here's why: the active firewall is the one responsible for actually moving the traffic for the users. The Standby gets to relax and just periodically check-in on the active to make sure he's okay. The Standby doesn't do anything except stand by until the Active goes belly-up or there's a problem. If something does happen to the Active, the Standby converts, becomes the active, and starts forwarding traffic.

For everyone except the Standby, this could appear to be wasteful or inefficient. After all, you've got two firewalls, they're both perfectly capable of forwarding traffic. It's a shame to have one do all the work and have the other simply act as standby. Fortunately, there's a great solution if, and only if, on the Cisco ASA, we're using virtual firewalls, in multiple mode, with multiple contexts.

How to Prepare Your Network for Active/Active Failover

If it's true that you're running virtual firewalls and in multiple mode, the first thing to do is carve your ASA into multiple virtual firewalls. For our purposes, we'll imagine that we've made a virtual firewall Context 1 — from our inside network at 10.0.0.1 to our outside 192.168.1.171. Second, we made a virtual firewall Context 2 — from inside 10.2.2.1 to outside 192.168.1.172. Obviously, supporting that will take two physical firewalls.

But in addition to this set-up, we're also going to use something called a failover group. Two failover groups: Failover Group 1 and Failover Group 2.

We have our two ASAs, and we instruct ASA #1 that it's the primary unit and ASA #2 that it's the secondary unit. Then, we set ASA #1 as Active for Failover Group 1 and ASA #2 as active for Failover Group 2.

But you might say this isn't Active/Active Failover, right? This is a primary and secondary firewall, with one in charge of Failover Group 1 and the other in charge of Failover Group 2. And you'd be right: this doesn't equate to load-sharing and Active/Active protection, yet.

What we have to do is instruct Context 1 that it's a member of Failover Group 1 and Context 2 that it's a member of Failover Group 2. What this set-up means is that we can train ASA #1 to be Active for Context 1 and the secondary to be Active for Context 2. Then, they can back each other up while still providing active protection for their context. And that's why it's called Active/Active.

How to Configure Active/Active Failover on your Cisco ASA Firewall

Now that you've got your network set up correctly, the question becomes how to actually verify who's active for what and how to change it.

To take a look at that, go to the command line of the first, physical firewall, ASA #1. How, exactly, do we find out if the primary is active for Failover Group 1, Failover Group 2, or both? How we find out most things: just ask.

In the console for ASA #1, type:

show failover

That's the default command, but you can also type this instead:

show failover state

The result of that is a lot of abbreviated information. While you look over the table, remember that what you're seeing is from ASA #1's perspective. You'll see a series of data that shows that ASA #1 knows that it is the primary unit; and that for Failover Group 1, it's the Active. ASA #1 also sees the other failover group. And it knows that for Failover Group 2, it's ready to be Standby.

It can also see the "other" host. The other host from ASA #1's perspective is ASA #2. ASA #1 knows the "other" host is the Secondary unit, is Active for Group 2, and is providing backup on Group 1.

What this table should indicate is that you have an active firewall from a physical perspective — for both failover groups. Plus a backup, a Standby, for both failover groups. That's Active/Active Failover on a Cisco ASA firewall.

How to Change Which Firewall is Primary in an Active/Active Failover

There are times you might need both ASAs to become active for either group. For example, if you were doing an upgrade or needed downtime. It's possible to force the control over with two simple commands.

To instruct ASA #1 to take the Active role for all available groups, type:

failover active

If you want to verify your handiwork and see what groups each ASA is responsible for, type:

show failover state

This should show you that ASA #1 is now Active for both Failover Group #1 and #2.

To revert changes of which ASA is Active for a Failover Group, there are two methods. The first is to go to ASA #2's command line and type:

failover active group 1

That is, unless you want it to be Active for Failover Group #2, in which case you should type:

failover active group 2

The second approach is to stay in ASA #1's command line. Let's say, for our purposes, that we don't want ASA #1 to be Active for Failover Group 2. To remove Active status from an ASA, type:

no failover active group 2

Like before, you can check your work by typing:

show failover state

Remember, what we've demonstrated here isn't perfect load-sharing. Because all the traffic going out of the first network (10.0.0.1) will be covered by ASA #1 (or whichever firewall you assign to that context) and all the traffic for the second network/context (10.2.2.1) will be managed by the other, there will be a difference between how much traffic each covers while Active. But it will be much more efficient than one of them being Active for all network traffic and the other remaining in a standby mode.

Wrapping Up

This is only a small taste of what you can learn about configuring the Cisco ASA from CBT Nuggets. If you're trying for your CCNP, try our CCNP Security training or check out this short video from trainer Keith Barker about Cisco ASAs.