show failover state
Displays the current failover state and status of the ASA firewall in a failover pair.
Overview
The 'show failover state' command is a critical tool for monitoring and troubleshooting high-availability configurations on Cisco ASA firewalls. Failover allows two identical ASAs to operate as a pair, providing redundancy and stateful session failover. The command displays the current operational state of both units in the failover pair, including their roles (primary/secondary), active/standby status, and any failure reasons. It also shows the synchronization status of the configuration and the health of the failover communication link.
This command is typically used after a failover event to confirm which unit is active, or during routine checks to ensure the standby unit is ready. It fits into troubleshooting workflows when connectivity issues arise, as it can quickly reveal if a failover has occurred or if the failover link is down. On Cisco ASA, failover can be configured in Active/Standby or Active/Active mode (the latter only in multi-context mode). The 'show failover state' output adapts to the mode, showing context-specific information in Active/Active setups.
Platform-specific behavior includes the use of 'Primary' and 'Secondary' roles, which are determined by configuration. The command also shows 'Logical Update Group Information' for stateful and context updates, which is important for understanding how traffic and sessions are replicated. Understanding this output is essential for CCNP Security candidates and network engineers managing ASA failover deployments.
show failover stateWhen to Use This Command
- Verify the failover state (active/standby) of the local and peer unit after a failover event.
- Check the health status of the failover link and stateful replication link.
- Monitor the logical device index and group assignment in a multi-context failover setup.
- Troubleshoot failover synchronization issues by reviewing the 'Last Failover' timestamp and reason.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| No parameters | show failover state | This command does not accept any parameters. It displays the failover state for the current context or system execution space. |
Command Examples
Normal Active/Standby Pair
show failover state State Last Failure Reason Date/Time
This host - Primary
Active None
(this unit is the Active unit)
Other host - Secondary
Standby Ready None
====Configuration State===
Sync Done
====Communication State===
Mac address OK
Logical Update Group Information:
Group Members
Context this host, other host
Stateful this host, other host
Last Failover at: 12:34:56 UTC Mar 15 2025
This host: Secondary became Active
Other host: Primary became StandbyThis output shows a healthy failover pair. 'This host' is Primary and Active, 'Other host' is Secondary and Standby Ready. Configuration sync is 'Sync Done', communication state is 'Mac address OK'. The 'Last Failover' shows a previous event where the Secondary became Active.
Failover Link Down
show failover state State Last Failure Reason Date/Time
This host - Primary
Active None
(this unit is the Active unit)
Other host - Secondary
Failed Communication Failure 12:34:56 UTC Mar 15 2025
====Configuration State===
Sync Not Done
====Communication State===
Mac address Mismatch
Logical Update Group Information:
Group Members
Context this host
Stateful this host
Last Failover at: 12:34:56 UTC Mar 15 2025
This host: Secondary became Active
Other host: Primary became StandbyThe other host is in 'Failed' state due to 'Communication Failure'. Configuration sync is 'Sync Not Done' and communication state shows 'Mac address Mismatch'. The logical update groups only list 'this host', indicating the peer is not reachable.
Understanding the Output
The 'show failover state' command output is divided into several sections. The first section shows the state of 'This host' and 'Other host'. For each host, it displays the role (Primary/Secondary), current state (Active/Standby Ready/Failed), last failure reason, and timestamp. A healthy active unit shows 'Active' with 'None' for failure reason. A standby unit should show 'Standby Ready'. If the peer is in 'Failed' state, the failure reason (e.g., Communication Failure, Hardware Failure) helps identify the issue. The next section, 'Configuration State', indicates whether the configuration is synchronized between the units. 'Sync Done' means configurations match; 'Sync Not Done' indicates a mismatch or sync failure. 'Communication State' shows the health of the failover link; 'Mac address OK' is normal, while 'Mac address Mismatch' or 'Link Down' indicates problems. 'Logical Update Group Information' lists the members of each update group (Context and Stateful). In a healthy pair, both hosts should be listed. If one host is missing, it may be unreachable. The 'Last Failover at' timestamp and description provide history of the last failover event, including which unit became active and which became standby.
Configuration Scenarios
Basic Active/Standby Failover Setup
Two ASA 5500-X firewalls configured as a failover pair in Active/Standby mode.
Topology
Internet --- ASA1 (Active) --- Inside Network
|
| (failover link)
|
ASA2 (Standby)Steps
- 1.Configure failover on both units: 'failover lan unit primary' on ASA1, 'failover lan unit secondary' on ASA2.
- 2.Set up the failover interface: 'failover lan interface failover GigabitEthernet0/3'.
- 3.Assign the failover IP addresses: 'failover interface ip failover 10.0.0.1 255.255.255.0 standby 10.0.0.2'.
- 4.Enable stateful failover: 'failover link stateful GigabitEthernet0/4'.
- 5.Verify with 'show failover state'.
! ASA1 (Primary) failover failover lan unit primary failover lan interface failover GigabitEthernet0/3 failover interface ip failover 10.0.0.1 255.255.255.0 standby 10.0.0.2 failover link stateful GigabitEthernet0/4 failover interface ip stateful 10.0.1.1 255.255.255.0 standby 10.0.1.2 ! ASA2 (Secondary) failover failover lan unit secondary failover lan interface failover GigabitEthernet0/3 failover interface ip failover 10.0.0.2 255.255.255.0 standby 10.0.0.1 failover link stateful GigabitEthernet0/4 failover interface ip stateful 10.0.1.2 255.255.255.0 standby 10.0.1.1
Verify: Run 'show failover state' on both units. ASA1 should show 'Active', ASA2 'Standby Ready'. Configuration state should be 'Sync Done'.
Watch out: Ensure the failover and stateful interfaces are on the same VLAN and directly connected; otherwise, communication may fail.
Troubleshooting with This Command
When troubleshooting failover issues, start with 'show failover state' to determine the current state of each unit. If the standby unit shows 'Failed', note the failure reason. Common reasons include 'Communication Failure' (failover link down), 'Hardware Failure', or 'Configuration Mismatch'. Check the failover link interface status with 'show interface failover' and ensure the link is up. If the configuration state shows 'Sync Not Done', compare the running configurations with 'show running-config' on both units; they must match exactly except for failover-specific IPs. Use 'debug failover' to see real-time failover events. If the logical update groups are missing a host, verify IP connectivity between the failover interfaces. In multi-context mode, ensure you are in the correct context; use 'changeto context <name>' to check each context's failover state. Also, check the system log for failover-related messages with 'show log | include failover'. If stateful failover is not working, verify the stateful link and that the 'failover link stateful' command is configured. Finally, if the active unit fails over unexpectedly, review the 'Last Failover' reason and timestamp to identify the trigger.
CCNA Exam Tips
Remember that 'show failover state' is the go-to command for verifying the current failover status; it's more concise than 'show failover'.
Know that 'Standby Ready' is the expected state for the standby unit; any other state indicates a problem.
Be aware that in multi-context mode, the output includes context-specific information; you may need to check within each context.
Common Mistakes
Confusing 'show failover' with 'show failover state' – the latter is more focused on state and health.
Assuming 'Sync Done' means all data is synchronized; it only indicates configuration sync, not stateful session sync.
Ignoring the 'Last Failure Reason' field; it often points directly to the root cause of failover issues.
Platform Notes
On Cisco ASA, the 'show failover state' command is available in all software versions that support failover. It differs from the 'show failover' command, which provides more detailed information including interface status and replication statistics. The output format is consistent across ASA models, but in multi-context mode, the command must be executed within each context to see context-specific failover state. On Cisco IOS routers with HSRP or VRRP, similar state information is obtained via 'show standby' or 'show vrrp', but those protocols are not equivalent to ASA failover. On Firepower Threat Defense (FTD), the equivalent command is 'show failover' in the FTD CLI, but the output is different. For ASA version 9.x and later, the command output includes the 'Logical Update Group Information' section, which is important for understanding stateful replication groups. Always ensure that both units run the same ASA software version to avoid compatibility issues.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions