RedundancyGlobal Config

failover

Enables and configures failover redundancy between two ASA firewalls for high availability.

Overview

The 'failover' command is used to configure high availability (HA) on Cisco ASA firewalls, allowing two identical units to operate in an active/standby or active/active (for multiple context mode) configuration. The primary purpose is to provide network resilience: if the active unit fails, the standby unit takes over seamlessly, minimizing downtime. The command enables the failover feature and sets parameters such as unit role (primary/secondary), failover link interface, and stateful replication options. Failover can be triggered manually via 'failover active' or automatically upon detection of a failure. The concept behind failover is based on heartbeat messages exchanged over a dedicated failover link (LAN or serial). The ASA monitors the health of interfaces, the unit itself, and the peer. When a failure is detected, the standby unit assumes the active role, taking over IP addresses and MAC addresses. This command is essential in enterprise environments where network availability is critical. On Cisco ASA, failover is platform-specific: it requires identical hardware models, software versions, and feature licenses. Configuration is done in global configuration mode, and the command is typically used during initial HA setup. Troubleshooting workflows often start with 'show failover' to verify state and synchronization status.

Syntax·Global Config
failover [active | standby | lan unit {primary | secondary} | lan interface if_name | link state {track_interface} | replication {http | iccp} | reload-standby | reset | exec {active | standby}]

When to Use This Command

  • Deploying a pair of ASAs in active/standby failover to ensure network uptime during hardware or software failures.
  • Configuring stateful failover to maintain active connections during a failover event.
  • Using LAN-based failover for faster detection and synchronization compared to serial cable.
  • Enabling forced failover for maintenance or testing purposes.

Parameters

ParameterSyntaxDescription
activefailover activeForces the unit to become active. Used on the standby unit to trigger a failover.
standbyfailover standbyForces the unit to become standby. Used on the active unit to relinquish active role.
lan unitfailover lan unit {primary | secondary}Sets the unit's role in LAN-based failover. Primary has higher priority; secondary is standby by default.
lan interfacefailover lan interface if_nameDesignates the physical interface used for failover communication. Must be a dedicated interface.
link statefailover link state {track_interface}Tracks the state of monitored interfaces; failover occurs if tracked interfaces go down.
replicationfailover replication {http | iccp}Enables stateful replication of HTTP or ICCP connections for stateful failover.
reload-standbyfailover reload-standbyReloads the standby unit. Useful for maintenance without affecting active unit.
resetfailover resetResets all failover configuration to defaults.
execfailover exec {active | standby}Executes a command on the specified unit from the current unit.

Command Examples

Enable failover and set unit as primary

failover lan unit primary failover lan interface failover GigabitEthernet0/3 failover interface ip failover 10.0.0.1 255.255.255.0 standby 10.0.0.2 failover
Failover On

Configures the ASA as the primary unit, assigns the failover link interface and IP addresses, then enables failover.

Force failover to standby unit

failover active
Switching to Active

Forces the current standby unit to become active, triggering a failover event.

Understanding the Output

The 'show failover' command provides detailed status. Key fields include 'Failover On' indicating enabled, 'Primary' or 'Secondary' unit role, 'Active' or 'Standby' state, and 'Last Failover at' timestamp. Healthy output shows both units synchronized with 'Stateful Failover Logical Update Statistics' counters incrementing. Problem values include 'Failed' state, 'Not Detected' for peer, or 'Sync Failed' messages. The 'show failover interface' displays link status and IP addresses; 'Up' is healthy, 'Down' indicates a problem.

Configuration Scenarios

Basic Active/Standby Failover with LAN Link

Two ASA 5506-X firewalls in a small office, active/standby failover using a dedicated GigabitEthernet0/3 interface.

Topology

[Internet]---[ASA1 (Active)]---[Switch]---[LAN] | [Failover Link] | [ASA2 (Standby)]

Steps

  1. 1.Configure hostname and basic settings on both ASAs.
  2. 2.On ASA1: configure failover lan unit primary, failover lan interface failover GigabitEthernet0/3, failover interface ip failover 10.0.0.1 255.255.255.0 standby 10.0.0.2.
  3. 3.On ASA2: configure failover lan unit secondary, failover lan interface failover GigabitEthernet0/3, failover interface ip failover 10.0.0.2 255.255.255.0 standby 10.0.0.1.
  4. 4.Enable failover on both: 'failover'.
  5. 5.Verify with 'show failover'.
Configuration
! ASA1
hostname ASA1
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover interface ip failover 10.0.0.1 255.255.255.0 standby 10.0.0.2
failover

! ASA2
hostname ASA2
failover lan unit secondary
failover lan interface failover GigabitEthernet0/3
failover interface ip failover 10.0.0.2 255.255.255.0 standby 10.0.0.1
failover

Verify: On either unit: 'show failover' should show one unit as Primary/Active and the other as Secondary/Standby. 'show failover interface' should show the failover link as Up.

Watch out: Ensure the failover interface is not used for data traffic; it must be a dedicated link.

Troubleshooting with This Command

When troubleshooting failover on Cisco ASA, start with 'show failover' to check the overall state. Look for 'Failover On' and 'Active'/'Standby' status. If the state is 'Failed', check the reason (e.g., 'Link Down', 'Sync Failed'). Use 'show failover interface' to verify the failover link is up and has correct IP addresses. If the link is down, check physical connectivity and VLAN configuration. 'show failover history' provides a log of failover events. If stateful replication is not working, verify 'failover replication http' is configured and check 'show conn' counts. Common issues include mismatched configurations (e.g., ACLs, NAT) causing sync failures. Use 'debug failover' with caution in production. For LAN failover, ensure the failover link is a Layer 2 connection with no routing between the units. If using serial cable, verify cable is properly connected. For forced failover, use 'failover active' on the standby unit; if it doesn't take over, check priority settings. The 'show failover' output includes 'Last Failover at' timestamp which helps correlate with events. If the standby unit shows 'Not Detected', check IP connectivity on the failover link.

CCNA Exam Tips

1.

Remember that failover requires identical hardware, software, and licensing on both units.

2.

Stateful failover replicates connection state; stateless does not. Know the difference for exam scenarios.

3.

The 'failover active' command can be used to manually trigger failover; it's a common troubleshooting step.

Common Mistakes

Forgetting to configure the failover link interface IP on both units, causing communication failure.

Using mismatched failover link types (LAN vs serial) between units.

Not enabling stateful failover when required for connection preservation.

Platform Notes

On Cisco ASA, failover is a licensed feature (Security Plus license required for some models). Unlike Cisco IOS routers that use HSRP/VRRP, ASA failover is a proprietary active/standby solution with stateful failover capability. The command syntax differs from IOS; for example, 'failover lan unit primary' is ASA-specific. In ASA version 9.x and later, failover supports multiple context mode and active/active failover. The 'failover reload-standby' command is unique to ASA. For cloud or virtual ASAv, failover is supported with some limitations (e.g., no serial cable). Equivalent commands on other platforms: on Palo Alto, 'high-availability' commands; on Fortinet, 'config system ha'. The 'show failover' output is more detailed than 'show standby' on IOS. Always ensure both units run the same ASA version and have identical configurations (except IP addresses).

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions