failover link [name] [intf]
Configures the dedicated failover link interface for stateful failover communication between two ASA units.
Overview
The 'failover link' command is used on Cisco ASA firewalls to designate a specific interface for failover communication between two units in a failover pair. This link carries state information (if stateful failover is enabled) and heartbeat messages. The command is essential for high availability deployments where redundancy and minimal downtime are critical. The failover link must be a dedicated interface that is not used for data traffic; it can be a physical interface, a VLAN interface, or a PortChannel. The interface must be in the same security zone and have IP connectivity between the two units. Typically, a dedicated subnet is used for the failover link. The command is configured in global configuration mode and requires the failover mode to be set (Active/Standby or Active/Active). Without a properly configured failover link, stateful failover cannot function, and the units will not synchronize connection state. In troubleshooting, verifying the failover link status is the first step when failover issues arise.
failover link {name} {intf}When to Use This Command
- Setting up a dedicated GigabitEthernet interface for stateful failover in an Active/Standby pair.
- Configuring a separate VLAN interface for failover traffic to isolate it from data traffic.
- Using a PortChannel interface as the failover link for higher bandwidth and redundancy.
- Reassigning the failover link to a different interface during maintenance without disrupting failover functionality.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| name | name | A logical name for the failover link. This name is used in other failover commands and must match on both units. It can be any string, but descriptive names like 'stateful' or 'fover' are common. |
| intf | interface-id | The interface to be used as the failover link. This can be a physical interface (e.g., GigabitEthernet0/2), a VLAN interface (e.g., vlan 100), or a PortChannel (e.g., Port-channel1). The interface must be enabled and have an IP address configured. |
Command Examples
Configure failover link on GigabitEthernet0/2
failover link stateful GigabitEthernet0/2INFO: Failover link configured successfully.
The command assigns the interface GigabitEthernet0/2 as the failover link with the logical name 'stateful'. The output confirms success.
Configure failover link on a VLAN interface
failover link fover vlan 100INFO: Failover link configured successfully.
This configures VLAN 100 as the failover link interface named 'fover'. The VLAN must already exist and be enabled.
Understanding the Output
The command itself does not produce detailed output; it only returns a confirmation message. To verify the failover link configuration, use 'show failover' or 'show running-config failover'. In 'show failover', look for the 'Failover LAN Interface' line which displays the configured interface and its status. A healthy state shows the interface as 'Up' and 'Link status: Up'. If the link is down, failover communication fails and the units may not synchronize state. Also check 'show failover interface' for detailed statistics like packet counts and errors.
Configuration Scenarios
Basic Active/Standby Failover with Dedicated Link
Two ASA 5506-X units in Active/Standby mode. GigabitEthernet0/2 is dedicated for failover traffic.
Topology
Internet --- ASA1 (Active) --- Inside
|
failover link (GE0/2)
|
ASA2 (Standby)Steps
- 1.Configure failover on both units.
- 2.Set the failover link on both units to the same interface and name.
- 3.Configure the failover interface IP addresses.
- 4.Enable stateful failover if desired.
! On both units: failover failover link stateful GigabitEthernet0/2 failover interface ip stateful 10.0.0.1 255.255.255.252 standby 10.0.0.2
Verify: Use 'show failover' to verify the link status is Up and state synchronization is active.
Watch out: Ensure the failover link interface is not configured with any other IP or used for data traffic.
Troubleshooting with This Command
When troubleshooting failover link issues, start with 'show failover' to check the overall failover status and link state. If the link is down, verify physical connectivity, interface status, and IP configuration. Use 'show interface ip brief' to confirm the interface is up/up. Check for mismatched failover link names or IP subnets between units. Use 'debug failover' to see detailed failover events, but be cautious as it can be verbose. Common issues include incorrect VLAN assignment, duplex mismatch, or firewall rules blocking failover traffic. Also ensure that the failover link is in the same security zone and that there are no ACLs filtering the failover traffic. If using a PortChannel, verify that all member links are operational. For stateful failover, ensure that the failover link has sufficient bandwidth to handle state updates.
CCNA Exam Tips
Remember that the failover link must be a dedicated interface; it cannot be used for data traffic.
In the exam, know that the failover link name is arbitrary but must match on both units.
Understand that stateful failover requires the failover link to be configured; stateless failover does not.
Common Mistakes
Using a data interface as the failover link, causing traffic disruption.
Forgetting to configure the same failover link name on both units, leading to mismatch.
Not enabling the interface before assigning it as failover link, resulting in link down.
Platform Notes
On Cisco ASA, the failover link command is similar to the 'failover link' command on Cisco IOS routers with failover capability, but ASA uses a dedicated interface rather than a virtual link. On ASA 9.x and later, the command syntax remains consistent. Unlike IOS where failover is often used with HSRP/VRRP, ASA failover is proprietary and requires identical hardware and software versions. The failover link can be a physical interface or a VLAN, but not a management-only interface. In ASA 9.6+, support for PortChannel as failover link was added. For cloud or virtual ASA, failover link may be implemented differently.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions