RedundancyGlobal Config

failover lan unit [primary|secondary]

Designates the local unit as the primary or secondary unit in an active/standby failover pair.

Overview

The 'failover lan unit' command is a critical configuration step in setting up Active/Standby failover on Cisco ASA Firewalls. This command designates the local firewall unit as either the primary or secondary unit in a failover pair. The primary unit is intended to be the active unit under normal conditions, while the secondary unit remains in standby mode, ready to take over if the primary fails. The concept behind this command is to establish a deterministic role assignment, avoiding ambiguity in which unit should be active. It is used during initial failover setup or when reconfiguring roles after a failover event. On Cisco ASA, the command is entered in global configuration mode and requires that the failover LAN interface and other failover parameters are already configured. The command does not immediately change the active/standby state; instead, it sets the configured role, which influences the election process when failover is enabled. In troubleshooting workflows, verifying the configured role with 'show failover' helps identify misconfigurations where both units are set to primary or secondary, which can cause failover to malfunction. The command is platform-specific to ASA and does not have a direct equivalent in IOS routers, which use 'redundancy' commands.

Syntax·Global Config
failover lan unit {primary | secondary}

When to Use This Command

  • Configuring the primary unit in a new active/standby failover pair.
  • Switching roles after a failover event to restore original primary status.
  • Setting up a secondary unit for redundancy in a data center.
  • Reconfiguring roles during maintenance or hardware replacement.

Parameters

ParameterSyntaxDescription
primaryprimarySets the local unit as the primary unit. The primary unit has a higher priority (1) and will become active if both units are healthy.
secondarysecondarySets the local unit as the secondary unit. The secondary unit has a lower priority (2) and will remain in standby unless the primary fails.

Command Examples

Set local unit as primary

failover lan unit primary
ciscoasa(config)# failover lan unit primary
ciscoasa(config)#

No output confirms the command was accepted. The unit will assume primary role upon failover activation.

Set local unit as secondary

failover lan unit secondary
ciscoasa(config)# failover lan unit secondary
ciscoasa(config)#

No output confirms the command was accepted. The unit will assume secondary role upon failover activation.

Understanding the Output

The command does not produce output beyond the prompt. To verify the configured role, use 'show running-config failover' or 'show failover'. In 'show failover', the 'This host: Primary' or 'This host: Secondary' line indicates the configured role. A healthy state shows the primary as active and secondary as standby. Problem values include mismatched roles (e.g., both units show primary) or 'Unknown' state, which indicates misconfiguration or communication failure.

Configuration Scenarios

Basic Active/Standby Failover Setup

Two ASA firewalls in a data center providing redundant internet access.

Topology

Internet --- ASA1 (Primary) --- Inside Network | +--- ASA2 (Secondary)

Steps

  1. 1.Configure failover LAN interface on both units.
  2. 2.Set ASA1 as primary: 'failover lan unit primary'.
  3. 3.Set ASA2 as secondary: 'failover lan unit secondary'.
  4. 4.Enable failover globally: 'failover'.
Configuration
! On ASA1
interface GigabitEthernet0/3
 description Failover Link
 ip address 10.0.0.1 255.255.255.252
 no shutdown
failover lan interface failover GigabitEthernet0/3
failover lan unit primary
failover

! On ASA2
interface GigabitEthernet0/3
 description Failover Link
 ip address 10.0.0.2 255.255.255.252
 no shutdown
failover lan interface failover GigabitEthernet0/3
failover lan unit secondary
failover

Verify: On both units, 'show failover' should show ASA1 as 'This host: Primary - Active' and ASA2 as 'This host: Secondary - Standby'.

Watch out: Ensure the failover link IP addresses are on the same subnet and reachable. Also, the failover interface must be configured before enabling failover.

Troubleshooting with This Command

When troubleshooting failover role issues, start by verifying the configured role with 'show running-config | include failover lan unit'. If both units show the same role, correct one. Use 'show failover' to see the current state. If the secondary unit shows 'Active' unexpectedly, check for a failover event or misconfiguration. Common issues include mismatched failover link IPs, missing 'failover' global command, or interface errors. The command 'debug failover' can provide real-time role negotiation details. In a healthy state, the primary unit should be active and the secondary standby. If both are standby, check the failover link. If both are active, there is a split-brain scenario; ensure the failover link is up and the 'failover' command is present. The 'failover lan unit' command itself does not produce output, but its effect is visible in 'show failover' output.

CCNA Exam Tips

1.

Remember that 'failover lan unit primary' is configured on the unit you want to be active by default.

2.

The command is only effective after 'failover' is globally enabled and LAN link is configured.

3.

In exam scenarios, know that the primary unit has priority 1 (higher) and secondary has priority 2 (lower).

Common Mistakes

Configuring both units as primary, causing role conflict and failover failure.

Forgetting to configure 'failover lan unit' before enabling failover globally.

Assuming the command changes the active role immediately; it only sets the configured role, and the active role depends on health and priority.

Platform Notes

On Cisco ASA, the 'failover lan unit' command is used only in Active/Standby failover mode. In Active/Active failover (ASA 8.4+), roles are per-context, and this command is not used. There is no direct equivalent in Cisco IOS; IOS uses 'redundancy' and 'standby' commands. On ASA, the command is available in global config mode and requires a failover license. In ASA version 9.x, the command syntax remains unchanged. For ASA virtual (ASAv), failover is supported with similar configuration.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions