show failover
Displays the current failover status and configuration of the ASA firewall pair.
Overview
The 'show failover' command is a fundamental diagnostic tool for Cisco ASA Firewalls configured in a failover pair. Failover provides high availability by allowing one ASA to take over traffic processing if the other fails. This command displays the current failover state, configuration details, and health metrics. It is used to verify that both units are communicating properly, that state replication is functioning, and to identify any issues that could prevent a seamless switchover.
The concept behind failover is active/standby or active/active redundancy. In active/standby, one unit handles all traffic while the other remains ready to take over. The 'show failover' command shows which unit is active and which is standby, along with the role (primary/secondary) that determines which unit becomes active after a reboot. The command also reports the status of the failover link (LAN-based or serial), which is used for heartbeat and state replication.
On Cisco ASA, failover requires identical hardware and software versions. The command output includes version information to verify compatibility. The 'show failover' command is typically the first step in troubleshooting failover issues. It can reveal problems such as mismatched configurations, link failures, or replication errors. It is also used during initial setup to confirm that the failover pair is operating correctly. The command has several sub-options like 'state', 'history', and 'interface' for more detailed views, but the basic command provides a comprehensive summary.
show failover [state | history | lan | interface | group [group-id] | config-sync | exec | reload-standby | recovery | reset | active | primary | secondary]When to Use This Command
- Verify the failover state (active/standby) of the local and peer units.
- Check the health of failover links and interfaces for monitoring.
- Review failover history to understand recent state changes or failures.
- Confirm configuration replication status between failover peers.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| state | show failover state | Displays the current failover state of the local unit and peer, including the reason for the current state. Useful for quick state verification. |
| history | show failover history | Shows a log of failover state transitions with timestamps and reasons. Helps in understanding the sequence of events leading to the current state. |
| lan | show failover lan | Displays details about the LAN failover interface, including IP addresses, MAC addresses, and link status. Used to troubleshoot LAN-based failover communication. |
| interface | show failover interface | Shows the status of all monitored interfaces from a failover perspective, including their current state and any failures. Critical for understanding interface-based failover triggers. |
| group [group-id] | show failover group [group-id] | Displays failover status for a specific failover group in active/active mode. The group-id is a number from 1 to 2. Shows which unit is active for that group. |
| config-sync | show failover config-sync | Shows the status of configuration synchronization between the two units, including any pending changes or errors. Useful for verifying that configurations are identical. |
| exec | show failover exec | Displays the failover execution state, including the current state machine and any pending actions. Typically used for advanced troubleshooting. |
| reload-standby | show failover reload-standby | Shows the status of a pending reload of the standby unit. Used when the 'failover reload-standby' command has been issued. |
| recovery | show failover recovery | Displays the failover recovery state, including the time remaining before the unit attempts to become active after a failure. Used in troubleshooting recovery scenarios. |
| reset | show failover reset | Shows the failover reset state, typically used when a failover reset has been initiated. Not commonly used. |
| active | show failover active | Displays the active unit's details. Equivalent to 'show failover' but focused on the active unit's perspective. |
| primary | show failover primary | Displays the primary unit's details. Equivalent to 'show failover' but focused on the primary unit's perspective. |
| secondary | show failover secondary | Displays the secondary unit's details. Equivalent to 'show failover' but focused on the secondary unit's perspective. |
Command Examples
Basic Failover Status
show failoverFailover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
Version: Ours 9.12(4)9, Mate 9.12(4)9
Last Failover at: 03:45:12 UTC Mar 15 2023
This host: Primary - Active
Active time: 123456 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.12(4)9) status (Up/Active)
Other host: Secondary - Standby
Active time: 0 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.12(4)9) status (Up/Standby)
Stateful Failover Logical Update Statistics
Link : FAILOVER GigabitEthernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 12345 0 23456 0
sys cmd 67890 0 78901 0
up time dup 0 0 0 0
...
Logical Update Queue Information
Cur Max Total
Recv Q: 0 5 12345
Xmit Q: 0 3 67890
The output shows the local unit is Primary and Active, the peer is Secondary and Standby. Failover LAN interface is up. Version matches. Stateful update statistics show no errors (xerr and rerr are 0). Queue depths are low, indicating healthy replication.
Failover History
show failover historyFrom state To state Reason 15:30:12 UTC Mar 15 2023 Standby Ready Just Active No Active unit found 15:30:15 UTC Mar 15 2023 Active Standby Ready Active unit found 15:30:18 UTC Mar 15 2023 Standby Ready Active No Active unit found
This shows recent state transitions. The unit became Active because no Active unit was found, then switched to Standby when the peer became Active, then back to Active. This indicates a flapping issue.
Understanding the Output
The 'show failover' output is divided into several sections. The first lines show the failover configuration: whether failover is enabled, the unit's role (Primary/Secondary), and the current state (Active/Standby). The LAN failover interface status is critical; if it is down, failover communication is broken. Poll frequencies and holdtimes determine how quickly a failure is detected. The 'Monitored Interfaces' count shows how many interfaces are being tracked for failover; if an interface goes down, it may trigger a failover. The next section compares software versions between the two units; they must match for failover to work. The 'Last Failover at' timestamp indicates when the last state change occurred. The 'This host' and 'Other host' blocks show the role and state of each unit, along with hardware/software revision and status. The 'Active time' shows how long each unit has been active; a non-zero value for the standby indicates it was active previously. The 'Stateful Failover Logical Update Statistics' section shows the health of state replication. The 'xmit' and 'rcv' counters should be increasing, while 'xerr' and 'rerr' should be zero. Non-zero errors indicate replication problems. The 'Logical Update Queue Information' shows current queue depths; high values suggest congestion or failure. Healthy values are low (e.g., Cur near 0).
Configuration Scenarios
Basic Active/Standby Failover Setup
Two ASA 5525-X firewalls are configured for active/standby failover. The LAN failover interface is GigabitEthernet0/3, and the stateful failover link is also on the same interface.
Topology
Internet --- ASA1 (Active) --- Inside Network
| |
| LAN |
| |
Internet --- ASA2 (Standby) --- Inside NetworkSteps
- 1.Configure failover on both units: 'failover lan unit primary' on ASA1, 'failover lan unit secondary' on ASA2.
- 2.Set the LAN failover interface: 'failover lan interface FAILOVER GigabitEthernet0/3'.
- 3.Assign IP addresses for the failover link: 'failover interface ip FAILOVER 192.168.1.1 255.255.255.0 standby 192.168.1.2'.
- 4.Enable failover: 'failover'.
- 5.Verify with 'show failover'.
! On ASA1 (Primary) failover lan unit primary failover lan interface FAILOVER GigabitEthernet0/3 failover interface ip FAILOVER 192.168.1.1 255.255.255.0 standby 192.168.1.2 failover ! On ASA2 (Secondary) failover lan unit secondary failover lan interface FAILOVER GigabitEthernet0/3 failover interface ip FAILOVER 192.168.1.2 255.255.255.0 standby 192.168.1.1 failover
Verify: Run 'show failover' on both units. ASA1 should show 'This host: Primary - Active', ASA2 should show 'This host: Secondary - Standby'. The LAN interface should be up.
Watch out: The failover interface IP addresses must be on the same subnet and not conflict with any other network. Also, the standby IP is the IP the peer uses; it must be configured consistently.
Troubleshooting Stateful Failover Replication Errors
After a failover event, users report dropped connections. 'show failover' shows non-zero xerr or rerr counters.
Topology
Same as above.Steps
- 1.Run 'show failover' and note the stateful update statistics.
- 2.Check the failover link status: 'show failover lan'.
- 3.Verify interface health: 'show failover interface'.
- 4.Check for configuration mismatch: 'show failover config-sync'.
- 5.If errors persist, consider restarting failover: 'failover reset' (on standby) or 'failover active' to force switchover.
! No configuration change needed; this is a troubleshooting scenario.
Verify: After corrective action, re-run 'show failover' and verify that xerr and rerr are zero and queue depths are low.
Watch out: Non-zero errors can also be caused by high CPU or memory on either unit. Check 'show cpu usage' and 'show memory'.
Troubleshooting with This Command
When troubleshooting failover issues on a Cisco ASA, the 'show failover' command is the starting point. Begin by checking the overall state: ensure one unit is Active and the other is Standby. If both show Active or both Standby, there is a communication problem. Verify the LAN failover interface status; if it is down, check the physical connection and configuration. The 'show failover lan' command provides more detail on the failover link IP and MAC addresses. Next, examine the stateful update statistics. Non-zero 'xerr' (transmit errors) or 'rerr' (receive errors) indicate that state information is not being replicated correctly. This can lead to asymmetric routing or session loss after a failover. Check the queue depths; if the 'Cur' (current) queue size is consistently high, the replication link may be congested or the standby unit may be overwhelmed. Also, verify that the software versions match exactly; a mismatch will prevent failover from working. Use 'show failover history' to see recent state transitions and their reasons. For example, repeated transitions between Active and Standby suggest a flapping issue, often due to interface flaps or misconfigured hold times. If the configuration is not synchronizing, use 'show failover config-sync' to see pending changes. In some cases, you may need to manually synchronize the configuration using 'write standby' on the active unit. Finally, check the monitored interfaces with 'show failover interface'. If a critical interface goes down, it can trigger a failover. Ensure that the interface policy is set appropriately (e.g., 'failover interface-policy 1' means one interface failure triggers failover). If all else fails, consider resetting failover with 'failover reset' on the standby unit, but this will break the failover pair and require re-synchronization.
CCNA Exam Tips
Remember that the 'show failover' command is used to verify both the failover configuration and the operational state; it's the first command to troubleshoot failover issues.
Know that the 'Last Failover at' timestamp and the 'Active time' counters help identify recent failover events; a recent timestamp with low active time on the current active unit indicates a recent switchover.
Be aware that non-zero 'xerr' or 'rerr' in stateful update statistics indicate replication failures, which can cause asymmetric traffic or session loss after failover.
Common Mistakes
Mistaking 'Primary' and 'Secondary' for 'Active' and 'Standby'; the roles are fixed, but the state can change. A Primary unit can be Standby if it is not the active unit.
Ignoring the LAN failover interface status; if it is down, failover cannot function, but the command may still show 'Failover On'.
Assuming that matching versions guarantee compatibility; the command also checks for matching hardware and software revisions, which must be identical.
Platform Notes
On Cisco ASA, failover is a licensed feature and requires identical hardware models and software versions. The 'show failover' command output is similar across ASA versions, but newer versions (9.x and later) may include additional fields like 'Config Sync Status'. In contrast, on Cisco IOS routers, failover is typically achieved through HSRP, VRRP, or GLBP, and the equivalent command is 'show standby' or 'show vrrp'. On ASA, the failover mechanism is proprietary and more tightly integrated with stateful inspection. Unlike IOS, ASA failover can replicate connection state, NAT translations, and VPN sessions. The 'show failover' command does not exist on IOS; instead, 'show redundancy' or 'show track' may be used. On Cisco Firepower Threat Defense (FTD), failover is managed through the FMC or CLI with similar commands, but the output format differs slightly. For ASA versions prior to 8.4, the command syntax was the same, but some sub-options like 'config-sync' were introduced later. Always ensure that the failover configuration is saved with 'write memory' on both units, as the standby unit's configuration is overwritten by the active unit.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions