failover
Enables and configures failover redundancy between two ASA firewalls for high availability.
Overview
The 'failover' command is used to configure high availability (HA) on Cisco ASA firewalls, allowing two identical units to operate in an active/standby or active/active (for multiple context mode) configuration. The primary purpose is to provide network resilience: if the active unit fails, the standby unit takes over seamlessly, minimizing downtime. The command enables the failover feature and sets parameters such as unit role (primary/secondary), failover link interface, and stateful replication options. Failover can be triggered manually via 'failover active' or automatically upon detection of a failure. The concept behind failover is based on heartbeat messages exchanged over a dedicated failover link (LAN or serial). The ASA monitors the health of interfaces, the unit itself, and the peer. When a failure is detected, the standby unit assumes the active role, taking over IP addresses and MAC addresses. This command is essential in enterprise environments where network availability is critical. On Cisco ASA, failover is platform-specific: it requires identical hardware models, software versions, and feature licenses. Configuration is done in global configuration mode, and the command is typically used during initial HA setup. Troubleshooting workflows often start with 'show failover' to verify state and synchronization status.
failover [active | standby | lan unit {primary | secondary} | lan interface if_name | link state {track_interface} | replication {http | iccp} | reload-standby | reset | exec {active | standby}]When to Use This Command
- Deploying a pair of ASAs in active/standby failover to ensure network uptime during hardware or software failures.
- Configuring stateful failover to maintain active connections during a failover event.
- Using LAN-based failover for faster detection and synchronization compared to serial cable.
- Enabling forced failover for maintenance or testing purposes.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| active | failover active | Forces the unit to become active. Used on the standby unit to trigger a failover. |
| standby | failover standby | Forces the unit to become standby. Used on the active unit to relinquish active role. |
| lan unit | failover lan unit {primary | secondary} | Sets the unit's role in LAN-based failover. Primary has higher priority; secondary is standby by default. |
| lan interface | failover lan interface if_name | Designates the physical interface used for failover communication. Must be a dedicated interface. |
| link state | failover link state {track_interface} | Tracks the state of monitored interfaces; failover occurs if tracked interfaces go down. |
| replication | failover replication {http | iccp} | Enables stateful replication of HTTP or ICCP connections for stateful failover. |
| reload-standby | failover reload-standby | Reloads the standby unit. Useful for maintenance without affecting active unit. |
| reset | failover reset | Resets all failover configuration to defaults. |
| exec | failover exec {active | standby} | Executes a command on the specified unit from the current unit. |
Command Examples
Enable failover and set unit as primary
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover interface ip failover 10.0.0.1 255.255.255.0 standby 10.0.0.2
failoverFailover On
Configures the ASA as the primary unit, assigns the failover link interface and IP addresses, then enables failover.
Force failover to standby unit
failover activeSwitching to Active
Forces the current standby unit to become active, triggering a failover event.
Understanding the Output
The 'show failover' command provides detailed status. Key fields include 'Failover On' indicating enabled, 'Primary' or 'Secondary' unit role, 'Active' or 'Standby' state, and 'Last Failover at' timestamp. Healthy output shows both units synchronized with 'Stateful Failover Logical Update Statistics' counters incrementing. Problem values include 'Failed' state, 'Not Detected' for peer, or 'Sync Failed' messages. The 'show failover interface' displays link status and IP addresses; 'Up' is healthy, 'Down' indicates a problem.
Configuration Scenarios
Basic Active/Standby Failover with LAN Link
Two ASA 5506-X firewalls in a small office, active/standby failover using a dedicated GigabitEthernet0/3 interface.
Topology
[Internet]---[ASA1 (Active)]---[Switch]---[LAN]
|
[Failover Link]
|
[ASA2 (Standby)]Steps
- 1.Configure hostname and basic settings on both ASAs.
- 2.On ASA1: configure failover lan unit primary, failover lan interface failover GigabitEthernet0/3, failover interface ip failover 10.0.0.1 255.255.255.0 standby 10.0.0.2.
- 3.On ASA2: configure failover lan unit secondary, failover lan interface failover GigabitEthernet0/3, failover interface ip failover 10.0.0.2 255.255.255.0 standby 10.0.0.1.
- 4.Enable failover on both: 'failover'.
- 5.Verify with 'show failover'.
! ASA1 hostname ASA1 failover lan unit primary failover lan interface failover GigabitEthernet0/3 failover interface ip failover 10.0.0.1 255.255.255.0 standby 10.0.0.2 failover ! ASA2 hostname ASA2 failover lan unit secondary failover lan interface failover GigabitEthernet0/3 failover interface ip failover 10.0.0.2 255.255.255.0 standby 10.0.0.1 failover
Verify: On either unit: 'show failover' should show one unit as Primary/Active and the other as Secondary/Standby. 'show failover interface' should show the failover link as Up.
Watch out: Ensure the failover interface is not used for data traffic; it must be a dedicated link.
Troubleshooting with This Command
When troubleshooting failover on Cisco ASA, start with 'show failover' to check the overall state. Look for 'Failover On' and 'Active'/'Standby' status. If the state is 'Failed', check the reason (e.g., 'Link Down', 'Sync Failed'). Use 'show failover interface' to verify the failover link is up and has correct IP addresses. If the link is down, check physical connectivity and VLAN configuration. 'show failover history' provides a log of failover events. If stateful replication is not working, verify 'failover replication http' is configured and check 'show conn' counts. Common issues include mismatched configurations (e.g., ACLs, NAT) causing sync failures. Use 'debug failover' with caution in production. For LAN failover, ensure the failover link is a Layer 2 connection with no routing between the units. If using serial cable, verify cable is properly connected. For forced failover, use 'failover active' on the standby unit; if it doesn't take over, check priority settings. The 'show failover' output includes 'Last Failover at' timestamp which helps correlate with events. If the standby unit shows 'Not Detected', check IP connectivity on the failover link.
CCNA Exam Tips
Remember that failover requires identical hardware, software, and licensing on both units.
Stateful failover replicates connection state; stateless does not. Know the difference for exam scenarios.
The 'failover active' command can be used to manually trigger failover; it's a common troubleshooting step.
Common Mistakes
Forgetting to configure the failover link interface IP on both units, causing communication failure.
Using mismatched failover link types (LAN vs serial) between units.
Not enabling stateful failover when required for connection preservation.
Platform Notes
On Cisco ASA, failover is a licensed feature (Security Plus license required for some models). Unlike Cisco IOS routers that use HSRP/VRRP, ASA failover is a proprietary active/standby solution with stateful failover capability. The command syntax differs from IOS; for example, 'failover lan unit primary' is ASA-specific. In ASA version 9.x and later, failover supports multiple context mode and active/active failover. The 'failover reload-standby' command is unique to ASA. For cloud or virtual ASAv, failover is supported with some limitations (e.g., no serial cable). Equivalent commands on other platforms: on Palo Alto, 'high-availability' commands; on Fortinet, 'config system ha'. The 'show failover' output is more detailed than 'show standby' on IOS. Always ensure both units run the same ASA version and have identical configurations (except IP addresses).
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions