RedundancyPrivileged EXEC

show failover

Displays the current failover status and configuration of the ASA firewall pair.

Overview

The 'show failover' command is a fundamental diagnostic tool for Cisco ASA Firewalls configured in a failover pair. Failover provides high availability by allowing one ASA to take over traffic processing if the other fails. This command displays the current failover state, configuration details, and health metrics. It is used to verify that both units are communicating properly, that state replication is functioning, and to identify any issues that could prevent a seamless switchover.

The concept behind failover is active/standby or active/active redundancy. In active/standby, one unit handles all traffic while the other remains ready to take over. The 'show failover' command shows which unit is active and which is standby, along with the role (primary/secondary) that determines which unit becomes active after a reboot. The command also reports the status of the failover link (LAN-based or serial), which is used for heartbeat and state replication.

On Cisco ASA, failover requires identical hardware and software versions. The command output includes version information to verify compatibility. The 'show failover' command is typically the first step in troubleshooting failover issues. It can reveal problems such as mismatched configurations, link failures, or replication errors. It is also used during initial setup to confirm that the failover pair is operating correctly. The command has several sub-options like 'state', 'history', and 'interface' for more detailed views, but the basic command provides a comprehensive summary.

Syntax·Privileged EXEC
show failover [state | history | lan | interface | group [group-id] | config-sync | exec | reload-standby | recovery | reset | active | primary | secondary]

When to Use This Command

  • Verify the failover state (active/standby) of the local and peer units.
  • Check the health of failover links and interfaces for monitoring.
  • Review failover history to understand recent state changes or failures.
  • Confirm configuration replication status between failover peers.

Parameters

ParameterSyntaxDescription
stateshow failover stateDisplays the current failover state of the local unit and peer, including the reason for the current state. Useful for quick state verification.
historyshow failover historyShows a log of failover state transitions with timestamps and reasons. Helps in understanding the sequence of events leading to the current state.
lanshow failover lanDisplays details about the LAN failover interface, including IP addresses, MAC addresses, and link status. Used to troubleshoot LAN-based failover communication.
interfaceshow failover interfaceShows the status of all monitored interfaces from a failover perspective, including their current state and any failures. Critical for understanding interface-based failover triggers.
group [group-id]show failover group [group-id]Displays failover status for a specific failover group in active/active mode. The group-id is a number from 1 to 2. Shows which unit is active for that group.
config-syncshow failover config-syncShows the status of configuration synchronization between the two units, including any pending changes or errors. Useful for verifying that configurations are identical.
execshow failover execDisplays the failover execution state, including the current state machine and any pending actions. Typically used for advanced troubleshooting.
reload-standbyshow failover reload-standbyShows the status of a pending reload of the standby unit. Used when the 'failover reload-standby' command has been issued.
recoveryshow failover recoveryDisplays the failover recovery state, including the time remaining before the unit attempts to become active after a failure. Used in troubleshooting recovery scenarios.
resetshow failover resetShows the failover reset state, typically used when a failover reset has been initiated. Not commonly used.
activeshow failover activeDisplays the active unit's details. Equivalent to 'show failover' but focused on the active unit's perspective.
primaryshow failover primaryDisplays the primary unit's details. Equivalent to 'show failover' but focused on the primary unit's perspective.
secondaryshow failover secondaryDisplays the secondary unit's details. Equivalent to 'show failover' but focused on the secondary unit's perspective.

Command Examples

Basic Failover Status

show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum

Version: Ours 9.12(4)9, Mate 9.12(4)9
Last Failover at: 03:45:12 UTC Mar 15 2023
    This host: Primary - Active
        Active time: 123456 (sec)
        slot 0: ASA5525 hw/sw rev (1.0/9.12(4)9) status (Up/Active)
    Other host: Secondary - Standby
        Active time: 0 (sec)
        slot 0: ASA5525 hw/sw rev (1.0/9.12(4)9) status (Up/Standby)

Stateful Failover Logical Update Statistics
        Link : FAILOVER GigabitEthernet0/3 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         12345      0          23456      0
        sys cmd         67890      0          78901      0
        up time dup     0          0          0          0
        ...
        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       5       12345
        Xmit Q:         0       3       67890

The output shows the local unit is Primary and Active, the peer is Secondary and Standby. Failover LAN interface is up. Version matches. Stateful update statistics show no errors (xerr and rerr are 0). Queue depths are low, indicating healthy replication.

Failover History

show failover history
From state          To state            Reason
15:30:12 UTC Mar 15 2023
Standby Ready       Just Active         No Active unit found
15:30:15 UTC Mar 15 2023
Active              Standby Ready       Active unit found
15:30:18 UTC Mar 15 2023
Standby Ready       Active              No Active unit found

This shows recent state transitions. The unit became Active because no Active unit was found, then switched to Standby when the peer became Active, then back to Active. This indicates a flapping issue.

Understanding the Output

The 'show failover' output is divided into several sections. The first lines show the failover configuration: whether failover is enabled, the unit's role (Primary/Secondary), and the current state (Active/Standby). The LAN failover interface status is critical; if it is down, failover communication is broken. Poll frequencies and holdtimes determine how quickly a failure is detected. The 'Monitored Interfaces' count shows how many interfaces are being tracked for failover; if an interface goes down, it may trigger a failover. The next section compares software versions between the two units; they must match for failover to work. The 'Last Failover at' timestamp indicates when the last state change occurred. The 'This host' and 'Other host' blocks show the role and state of each unit, along with hardware/software revision and status. The 'Active time' shows how long each unit has been active; a non-zero value for the standby indicates it was active previously. The 'Stateful Failover Logical Update Statistics' section shows the health of state replication. The 'xmit' and 'rcv' counters should be increasing, while 'xerr' and 'rerr' should be zero. Non-zero errors indicate replication problems. The 'Logical Update Queue Information' shows current queue depths; high values suggest congestion or failure. Healthy values are low (e.g., Cur near 0).

Configuration Scenarios

Basic Active/Standby Failover Setup

Two ASA 5525-X firewalls are configured for active/standby failover. The LAN failover interface is GigabitEthernet0/3, and the stateful failover link is also on the same interface.

Topology

Internet --- ASA1 (Active) --- Inside Network | | | LAN | | | Internet --- ASA2 (Standby) --- Inside Network

Steps

  1. 1.Configure failover on both units: 'failover lan unit primary' on ASA1, 'failover lan unit secondary' on ASA2.
  2. 2.Set the LAN failover interface: 'failover lan interface FAILOVER GigabitEthernet0/3'.
  3. 3.Assign IP addresses for the failover link: 'failover interface ip FAILOVER 192.168.1.1 255.255.255.0 standby 192.168.1.2'.
  4. 4.Enable failover: 'failover'.
  5. 5.Verify with 'show failover'.
Configuration
! On ASA1 (Primary)
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/3
failover interface ip FAILOVER 192.168.1.1 255.255.255.0 standby 192.168.1.2
failover

! On ASA2 (Secondary)
failover lan unit secondary
failover lan interface FAILOVER GigabitEthernet0/3
failover interface ip FAILOVER 192.168.1.2 255.255.255.0 standby 192.168.1.1
failover

Verify: Run 'show failover' on both units. ASA1 should show 'This host: Primary - Active', ASA2 should show 'This host: Secondary - Standby'. The LAN interface should be up.

Watch out: The failover interface IP addresses must be on the same subnet and not conflict with any other network. Also, the standby IP is the IP the peer uses; it must be configured consistently.

Troubleshooting Stateful Failover Replication Errors

After a failover event, users report dropped connections. 'show failover' shows non-zero xerr or rerr counters.

Topology

Same as above.

Steps

  1. 1.Run 'show failover' and note the stateful update statistics.
  2. 2.Check the failover link status: 'show failover lan'.
  3. 3.Verify interface health: 'show failover interface'.
  4. 4.Check for configuration mismatch: 'show failover config-sync'.
  5. 5.If errors persist, consider restarting failover: 'failover reset' (on standby) or 'failover active' to force switchover.
Configuration
! No configuration change needed; this is a troubleshooting scenario.

Verify: After corrective action, re-run 'show failover' and verify that xerr and rerr are zero and queue depths are low.

Watch out: Non-zero errors can also be caused by high CPU or memory on either unit. Check 'show cpu usage' and 'show memory'.

Troubleshooting with This Command

When troubleshooting failover issues on a Cisco ASA, the 'show failover' command is the starting point. Begin by checking the overall state: ensure one unit is Active and the other is Standby. If both show Active or both Standby, there is a communication problem. Verify the LAN failover interface status; if it is down, check the physical connection and configuration. The 'show failover lan' command provides more detail on the failover link IP and MAC addresses. Next, examine the stateful update statistics. Non-zero 'xerr' (transmit errors) or 'rerr' (receive errors) indicate that state information is not being replicated correctly. This can lead to asymmetric routing or session loss after a failover. Check the queue depths; if the 'Cur' (current) queue size is consistently high, the replication link may be congested or the standby unit may be overwhelmed. Also, verify that the software versions match exactly; a mismatch will prevent failover from working. Use 'show failover history' to see recent state transitions and their reasons. For example, repeated transitions between Active and Standby suggest a flapping issue, often due to interface flaps or misconfigured hold times. If the configuration is not synchronizing, use 'show failover config-sync' to see pending changes. In some cases, you may need to manually synchronize the configuration using 'write standby' on the active unit. Finally, check the monitored interfaces with 'show failover interface'. If a critical interface goes down, it can trigger a failover. Ensure that the interface policy is set appropriately (e.g., 'failover interface-policy 1' means one interface failure triggers failover). If all else fails, consider resetting failover with 'failover reset' on the standby unit, but this will break the failover pair and require re-synchronization.

CCNA Exam Tips

1.

Remember that the 'show failover' command is used to verify both the failover configuration and the operational state; it's the first command to troubleshoot failover issues.

2.

Know that the 'Last Failover at' timestamp and the 'Active time' counters help identify recent failover events; a recent timestamp with low active time on the current active unit indicates a recent switchover.

3.

Be aware that non-zero 'xerr' or 'rerr' in stateful update statistics indicate replication failures, which can cause asymmetric traffic or session loss after failover.

Common Mistakes

Mistaking 'Primary' and 'Secondary' for 'Active' and 'Standby'; the roles are fixed, but the state can change. A Primary unit can be Standby if it is not the active unit.

Ignoring the LAN failover interface status; if it is down, failover cannot function, but the command may still show 'Failover On'.

Assuming that matching versions guarantee compatibility; the command also checks for matching hardware and software revisions, which must be identical.

Platform Notes

On Cisco ASA, failover is a licensed feature and requires identical hardware models and software versions. The 'show failover' command output is similar across ASA versions, but newer versions (9.x and later) may include additional fields like 'Config Sync Status'. In contrast, on Cisco IOS routers, failover is typically achieved through HSRP, VRRP, or GLBP, and the equivalent command is 'show standby' or 'show vrrp'. On ASA, the failover mechanism is proprietary and more tightly integrated with stateful inspection. Unlike IOS, ASA failover can replicate connection state, NAT translations, and VPN sessions. The 'show failover' command does not exist on IOS; instead, 'show redundancy' or 'show track' may be used. On Cisco Firepower Threat Defense (FTD), failover is managed through the FMC or CLI with similar commands, but the output format differs slightly. For ASA versions prior to 8.4, the command syntax was the same, but some sub-options like 'config-sync' were introduced later. Always ensure that the failover configuration is saved with 'write memory' on both units, as the standby unit's configuration is overwritten by the active unit.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions