failover lan interface [name] [intf]
Configures the LAN interface used for failover communication between two ASA firewalls in a failover pair.
Overview
The 'failover lan interface' command is used on Cisco ASA firewalls to designate a specific interface for failover communication between two units in a failover pair. This dedicated link carries heartbeat messages, state information, and configuration synchronization. The command is essential for both active/standby and active/active failover modes. The interface must be a physical port, subinterface, or VLAN interface that is not used for regular data traffic. It is typically a Gigabit Ethernet interface for high-speed state replication. The command assigns a logical name to the interface, which is then referenced by other failover commands such as 'failover interface ip' to set the IP address and 'failover link' to specify the interface for stateful failover. Without this command, failover cannot function. The concept behind failover is to provide high availability by having a standby unit take over if the active unit fails. The LAN interface ensures fast and reliable communication between the peers. When troubleshooting, verify that the interface is up/up and that the IP addresses are correctly configured on both units. The command is entered in global configuration mode and takes effect immediately. On ASA platforms, the failover LAN interface must be configured before enabling failover with 'failover' command. It is a critical step in setting up a resilient firewall deployment.
failover lan interface [name] [intf]When to Use This Command
- Setting up a dedicated LAN interface for stateful failover between primary and secondary ASAs.
- Configuring a failover link to synchronize connection state and configuration between failover peers.
- Enabling active/standby failover with a dedicated LAN interface for heartbeat and state replication.
- Migrating from a shared failover link to a dedicated LAN interface for improved reliability.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| name | string | A logical name for the failover LAN interface, e.g., FO_LINK. This name is used in subsequent failover commands to refer to this interface. |
| intf | interface-id | The physical interface or subinterface to be used for failover communication, e.g., GigabitEthernet0/3. Must be a dedicated interface not used for data traffic. |
Command Examples
Configure failover LAN interface named FO_LINK on GigabitEthernet0/3
failover lan interface FO_LINK GigabitEthernet0/3INFO: Non-default configuration for failover LAN interface FO_LINK on GigabitEthernet0/3
The command assigns the name FO_LINK to physical interface GigabitEthernet0/3 for failover communication. The output confirms the interface is set.
Verify failover LAN interface configuration
show running-config | include failover lan interfacefailover lan interface FO_LINK GigabitEthernet0/3
The show command displays the current failover LAN interface configuration, confirming the interface name and physical port.
Understanding the Output
The output of 'show running-config | include failover lan interface' displays the configured failover LAN interface. The line shows the command syntax as entered. A healthy configuration shows a single line with the interface name and physical port. If missing, failover LAN interface is not configured, which will prevent failover from working. The interface must be a dedicated physical or subinterface not used for data traffic. The output does not show the IP address or state; those are configured separately with 'failover interface ip' and 'failover link' commands.
Configuration Scenarios
Basic Active/Standby Failover Setup
Two ASA 5506-X firewalls in a failover pair. Primary unit is active, secondary is standby. A dedicated GigabitEthernet0/3 is used for failover link.
Topology
Internet --- ASA1 (Active) --- Inside Network
|
Failover LAN (Gig0/3)
|
Internet --- ASA2 (Standby) --- Inside NetworkSteps
- 1.On primary ASA: configure terminal
- 2.Enter: failover lan interface FO_LINK GigabitEthernet0/3
- 3.Enter: failover interface ip FO_LINK 192.168.1.1 255.255.255.252 standby 192.168.1.2
- 4.Enter: failover link FO_LINK
- 5.Enter: failover
- 6.Repeat on secondary ASA with same commands (IPs will be swapped automatically after failover enabled).
! Primary ASA failover lan interface FO_LINK GigabitEthernet0/3 failover interface ip FO_LINK 192.168.1.1 255.255.255.252 standby 192.168.1.2 failover link FO_LINK failover
Verify: Use 'show failover' to verify state. Both units should show 'Active' and 'Standby Ready' respectively. Use 'show interface ip brief' to confirm FO_LINK IP is up.
Watch out: Ensure the failover LAN interface is not configured with an IP address using 'ip address' command; it must be set only via 'failover interface ip'.
Troubleshooting with This Command
When troubleshooting failover LAN interface issues, start by checking the physical interface status with 'show interface GigabitEthernet0/3'. Ensure it is up/up. If the interface is down, check cabling and switch port configuration. Next, verify the failover LAN interface configuration with 'show running-config | include failover lan interface'. Ensure the name and interface are correct. Use 'show failover' to see the failover state; if the LAN link is down, it will show 'Failover LAN Interface: Down'. Check IP address configuration with 'show failover interface ip'. Both units must have IPs in the same subnet. If the link is up but failover is not working, verify that the 'failover link' command references the same interface name. Also check that the interface is not configured as a management-only interface. On ASA, the failover LAN interface cannot be a management interface. If using a subinterface, ensure the parent interface is not shut down. Common issues include mismatched interface names or IP subnets between peers. Use debug commands like 'debug fover' cautiously in production. Also verify that the failover LAN interface is not used for any other purpose; it must be dedicated. If the interface is shared, state replication may fail or cause performance degradation. Finally, ensure that the failover feature is enabled with 'failover' command after configuring the LAN interface.
CCNA Exam Tips
Remember that the failover LAN interface must be a dedicated interface not used for any other purpose.
The interface name is arbitrary but must match the name used in 'failover interface ip' command.
On ASA, the failover LAN interface can be a physical interface, subinterface, or VLAN interface, but not a management-only interface.
Common Mistakes
Using a data interface for failover LAN, causing performance issues or failover failures.
Forgetting to configure an IP address on the failover LAN interface using 'failover interface ip'.
Mismatching the interface name between primary and secondary units, causing failover link down.
Platform Notes
On Cisco ASA, the 'failover lan interface' command is used in global configuration mode. Unlike Cisco IOS routers where failover is not typically supported, ASA has native failover capability. The command is specific to ASA and not available on IOS. On ASA, the failover LAN interface can be a physical interface, subinterface, or VLAN interface, but not a management interface (Management0/0). On ASA 5500-X series, the failover LAN interface should be a dedicated Gigabit Ethernet port for optimal performance. On ASA 9.x and later, the command syntax remains the same. For virtual ASA (ASAv), the failover LAN interface is a virtual NIC. The equivalent on other platforms like Palo Alto or Fortinet would be 'ha1' interface configuration. On Cisco Firepower Threat Defense (FTD), failover is configured differently using the FMC or CLI with 'configure failover lan' commands. The 'failover lan interface' command is a prerequisite for enabling failover; without it, the 'failover' command will fail. Always configure the LAN interface before enabling failover.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions