CISCO ASA Firewall Commands Technical Guide (Final Part)

July 20, 2016 | Views: 2914

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Welcome to the final part of the CISCO ASA Firewall command line technical guides. Previous parts could be found on my profile page. If you want the full-packed version, you could download it from Research gate.

Configuring and enabling failover and redundancy on Cisco ASA

Ø  Active-standby failover

Ø  Active-active failover


Active-standby failover

This type of failover uses one ASA as the active player that handles all connections and translation operations while the other ASA considered as Standby player where it stays idle until the active player fails.  The two ASAs exchange state information about each other by forming a LAN failover link and stateful failover that enacts swapping connection information between the active and the standby ASA. When a failure occurs, the two ASAs swap their IP and MAC address information to keep translations and active connections on their values.

Now, on the main ASA that is going to be the active one, the following commands are typed:

               Failover lan unit primary

               Failover lan interface int_name  [physical_interface]

               Failover interface   ip   int_name    address_mask  standby ip_address

               Failover key  [ keystring]


               Failover link  stateful  int_name  [physical_int]

               Failover interface ip stateful  ip_addr   mask  standby  ip_addr

               Failover replication http

               No monitor-interface  management0/0

Note: The last command for preventing the monitoring operation to take place in the management interface.

On the secondary ASA, A failover interface must be configured through the following commands:

               Failover lan unit secondary

               Failover lan interface [int_name]   [physical_addr]

               Failover interface ip [int_name]  ip_addr   subnet_mask   standby  ip-addr

               Failover key  [keystring must be the same in the primary asa]


Active-active failover

Configuring this type requires that every failover link interface be inside a group failover, which will be attached to a security context.

On the primary ASA, the following commands would be typed:

               Failover lan unit primary

               Failover lan interface [int_name] [physical_addr]

               Failover interface ip [int_name]  ip_addr  subnet_mask  standby  ip_addr

               Failover key  [keystring]


               Failover group 1



               Replication http


               Failover group 2



               Replication http


               Failover link stateful  [ physical_interface]

               Failover interface ip stateful [ip_addr]  [subnet_mask ]  standby ip_addr

               Context [context_name]

               Allocate-interface  [int_name : ex; eth0/0.1]

               Allocate-interface [ int_name]

               Config-url  [specify url to store the config file, ex: disk0:/admin.cfg]

               Join-failover group 1


Note: Each interface designated by the security context must be configured for failover using the following command syntax:

               Ip address [ip_addr]  [ subnet_mask ]  standby  [ ip_addr]

On the secondary ASA, the following commands would be typed:

               Failover lan secondary

               Failover lan interface [ int_name] [ physical_name]

               Failover interface ip [ int_name] [ ip_addr] [ subnet_mask ] standby [ip_addr]

               Failover key [ keystring]

               Failover group 1



               Replication http


               Failover group 2



               Replication http




Configuring failover timers for effective detection of defect peers

Every peer sends hello packets to probe for the other peer’s health. Hello packets are sent in a time range called poll time and if the peer does not respond or the hello packets are not received, the hold timer will be triggered to count down the failure state of the peer. We can configure the poll timer and hold timer for optimum performance using the syntax below:

               Failover polltime [ 1-15 sec] holdtime [ 1-45 seconds ]

Note: The the holdtime must be three times the polltime.

Configuring the detection of asymmetric routing

Sometimes, the traffic leaves the active or standby ASA and then returns back from the outside to the other ASA’s peer interface causing it to be dropped because its has no entries in the state table of the peer ASA. This ASR group will get the peer ASA to create or rewrite the layer 2 OSI of the packet to redirect it to its relevant interface.

               Interface  [int_name]

               Asa-group  [number]


Administering and verifying the failover configuration

We can send command to be executed on the other peer asa using the following command:

               Failover exec  [ active | standby | mate ]  command_string

               Show failover

               [no] failover active

Note: The last two commands used to verify the configuration of failover and to force the active state or cancel it on peer ASA respectively.

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Very informative. Great post

  2. thanks for these series of great technical knowledge…

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?