Managing High Availability
The topics in this section describe configuring and managing failover, or High Availability, settings for
designated pairs of devices.
• About High Availability, page 1
• Configuring Devices for Failover, page 2
• Managing High Availability, page 2
About High Availability
Cisco High Availability (HA) enables network-wide protection by providing fast recovery from faults that
may occur in any part of the network. With Cisco High Availability, network hardware and software work
together and enable rapid recovery from disruptions to ensure fault transparency to users and network
applications.
In the context of this document, “high availability” is used more narrowly, usually referring to a pair of ASAs
or CX modules operating in failover mode. In fact, “failover” and “high availability“ are used somewhat
interchangeably.
Configuring failover requires two identical ASAs connected to each other through a dedicated failover link
and, optionally, a state link. The health of the active unit and its interfaces is monitored to determine if specific
failover conditions are met. If those conditions are met, failover occurs.
Currently, PRSM supports only Active/Standby failover, where one unit is the active unit which passes traffic,
and the standby unit does not actively pass traffic. When failover occurs, the active unit fails over to become
the standby unit, which then becomes active and begins passing traffic. You can use Active/Standby failover
for ASAs in single- or multiple-context mode.
Stateless and Stateful Failover
The ASA supports two types of failover, Stateless and Stateful.
With Stateless failover, when failover occurs, all active connections are dropped. Clients need to re-establish
connections when the new active unit takes over.
Wit Stateful Failover, the active unit continually passes per-connection state information to the standby unit.
When failover occurs, the same connection information is available on the new active unit. Supported end-user
applications are not required to reconnect to keep the same communication session.
User Guide for ASA CX and Cisco Prime Security Manager 9.3
OL-32018-01
1
Managing High Availability
Configuring Devices for Failover
Configuring Devices for Failover
Configuring high availability on ASA CX devices requires two identical units connected to each other through
a dedicated failover link, with one active unit passing traffic while the other unit waits in a standby state. The
health of the active unit and its interfaces is monitored to determine if specific failover conditions are met. If
those conditions are met, failover occurs and the standby unit begins processing traffic.
The following conditions must be met in order to configure two ASA CX devices for high availability:
• Both units must be the same model, have the same number and types of interfaces, and the same amount
of RAM installed.
• Both units must be operating in the same mode (routed or transparent, single or multiple context). They
must have the same major (first number) and minor (second number) software version.
• Each ASA CX must have the proper licenses.
You can use Cisco Prime Security Manager (PRSM) to manage and monitor pairs of ASA devices operating
in Active/Standby failover mode. These devices can optionally include CX devices, which will also fail over.
You also can manage CX modules as an HA pair if they reside in ASAs that are otherwise not supported,
such as those configured in multiple-context mode. Each HA pair is managed as a unit.
Pairing Devices for Failover
Before Adding an ASA High Availability Pair) to the inventory in PRSM, you must configure the pair of
ASAs to operate together in failover mode. This is performed outside of PRSM; you can configure
Active/Standby failover on two devices using the Adaptive Security Device Manager (ASDM) or the
command-line interface (CLI):
• Using ASDM to configure the two devices is described in http://www.cisco.com/c/en/us/td/docs/security/
asa/asa91/asdm71/general/asdm_71_general_config/ha_failover.html.
• Using the CLI to configure the two devices is described in http://www.cisco.com/c/en/us/td/docs/security/
asa/asa91/configuration/general/asa_91_general_config/ha_failover.html.
Managing High Availability
The High Availability page displays the failover properties configured on the selected device (preferably the
active member of a failover pair), and lets you edit them.
Procedure
Step 1
Step 2
To manage failover configuration for a specific device, select Configurations > Policies/Settings.
Select the desired device: be sure Devices is chosen in the Policies/Settings view selector, and then select the
device you want to manage from the Devices list.
This must be a device configured as the active member of an Active/Standby failover pair.
Step 3
Click the High Availability tab to display the device’s High Availability page.
The device’s failover properties are presented in four sections: Basic Configuration, Criteria, MAC Addresses,
and Interfaces.
User Guide for ASA CX and Cisco Prime Security Manager 9.3
2
OL-32018-01
Managing High Availability
High Availability Configuration Properties
Step 4
Update the failover properties as necessary.
These properties are described in High Availability Configuration Properties, on page 3.
Step 5
Click Save to save the updated properties to this device; the other, secondary device is updated automatically.
High Availability Configuration Properties
The failover, or High Availability (HA), properties assigned to a device that is a member of a designated
Active/Standby failover pair are displayed in four sections on the High Availability page.
The settings are the same for both devices, and can be viewed on the High Availability page for either.
However, we recommend updating HA properties on the High Availability page for the currently active
device.
Basic Configuration Properties
Expand this section to access the following basic failover configuration properties:
LAN Failover
The LAN failover settings are grouped at the top of the Basic Configuration section: Interface, Logical
Name, Active IP, Standby IP, and Subnet Mask.
Interface
This read-only field presents the name of the physical interface assigned for failover communications
during failover pair configuration. See How to Configure High Availability for more information.
Logical Name
The name assigned to the failover-link interface for identification.
Active IP
The active IP address assigned to the interface. The IP address can be either an IPv4 or an IPv6 address;
you cannot configure both types of addresses on the failover link interface.
Standby IP
The IP address used by the secondary unit to communicate with the primary unit. The IP address can
be an IPv4 or an IPv6 address.
Subnet Mask
Depending upon the type of address specified for the Active IP, this is a subnet mask (IPv4 addresses)
or a prefix length (IPv6 address) for the failover interface address. The name of the field changes
depending upon the type of address specified in the Active IP field.
User Guide for ASA CX and Cisco Prime Security Manager 9.3
OL-32018-01
3
Managing High Availability
High Availability Configuration Properties
Stateful Failover
These optional settings let you configure stateful failover: Interface, Logical Name, Active IP, Standby
IP, and Subnet Mask.
With the exception of the Interface field, these properties are identical to those described for the LAN
Failover section. In this section, you can choose an unused interface to be assigned for Stateful Failover
communications. If you choose the same interface specified in the LAN Failover section, the parameters
in this section are copied from the LAN Failover section and cannot be modified.
HTTP Replication
Turn On to allow Stateful Failover to copy active HTTP sessions to the standby firewall. If you do not
allow HTTP replication, HTTP connections are disconnected at failover. Disabling HTTP replication
reduces the amount of traffic on the state link. However, enabling HTTP replication allows users to
browse, stream and download files freely without interruption during a failover.
Key Parameters
The Enable, Type and Key properties let you enable encryption of the communications on the failover
link.
• Enable – Turn On to enable encryption of communications over the link between the two HA
devices. If Off, failover communications, including any passwords or keys in the configuration
that are sent during command replication, will be in clear text.
• Type – Select ASCII or HEX to specify the encryption-key type.
• Key – Enter the key used to encrypt failover communications. If ASCII is the selected Type,
provide the shared secret string of up to 63 letters, numbers and punctuation. For HEX, provide
a 32-hexadecimal-character encryption string.
Criteria
The ASA sends “hello” packets out of each data interface to monitor interface health. The appliance also sends
hello messages across the failover link to monitor unit health. If the ASA does not receive a hello packet from
the corresponding interface on the peer unit for over half of the defined Hold time, then the additional interface
testing begins. If a hello packet or a successful test result is not received within that specified Hold time, the
interface is marked as failed. Failover occurs if the number of failed interfaces meets the specified Fail On
criterion.
Decreasing the poll and Hold times enables the ASA to detect and respond to interface failures more quickly,
but may consume more system resources. Increasing the poll and Hold times prevents the ASA from failing
over on networks with higher latency.
Expand this section to access and define the following failover criteria, which are organized into three
sections—Interface Criteria (Fail On); Poll Time (Unit Failover and Unit Hold Time); and Interface Poll
Time (Monitored Interfaces and Interface Hold Time):
Fail On
This value defines how many interfaces must fail on the active device in order to trigger failover; the
meaning of this number is specified by the Number/Percentage selection. If you select Number, the
Fail On value is the actual number of interfaces (from 1 to 250) that must fail to trigger failover. If you
select Percentage, this value is the percentage of total interfaces on the device that must fail.
User Guide for ASA CX and Cisco Prime Security Manager 9.3
4
OL-32018-01
Managing High Availability
High Availability Configuration Properties
Unit Failover
This value defines the time interval between hello messages sent between the two units. Specify a value
between 1 and 15 seconds, or between 200 and 999 milliseconds, depending on your choice in the
second/millisecond drop-down menu.
Unit Hold Time
This is the time during which a unit must receive a hello message on the failover link, or else the unit
begins the testing process for peer failure. The range is between 1 and 45 seconds, or between 800 and
999 milliseconds, depending on your choice in the second/millisecond drop-down menu. You cannot
enter a value that is less than three times the Unit Failover poll time.
Monitored Interfaces
The amount of time between interface polls. The range is between 1 and 15 seconds, or 500 to 999
milliseconds, depending on your choice in the second/millisecond drop-down menu.
Interface Hold Time
The time during which a data interface must receive a hello message from a peer; after this interval the
peer is declared failed. Valid values are from 5 to 75 seconds. This value must be at least five times
the Monitored Interfaces value.
MAC Addresses
You can configure virtual MAC addresses for each interface to ensure that the secondary unit uses the correct
MAC addresses when it is the active unit, even if it comes online before the primary unit. If you do not specify
virtual MAC addresses, the failover pair uses the burned-in NIC addresses as the MAC addresses.
Expand this section to access virtual MAC address assignments for unused physical interfaces.
Click the Add Interface MAC Address button to provide Active and Standby MAC addresses for a specific
physical interface. Select an existing interface/MAC address entry to edit or delete it—click the appropriate
button.
When adding an interface MAC address, choose the interface in the Physical Interface field. When adding
or editing an interface MAC address, provide an Active MAC Address and a Standby MAC Address.
Use the Active MAC Address field to manually assign a virtual MAC address to the interface. MAC addresses
are provided in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the MAC address
00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE. You must also provide a Standby MAC Address
for the interface.
Interfaces
Expand this section to access a list of monitored interfaces. You can manually configure a standby IP address
for each monitored interface; this can be an IPv4 or an IPv6 address. You also can enable or disable health
monitoring for each individual interface: click True or False in the Monitored column.
User Guide for ASA CX and Cisco Prime Security Manager 9.3
OL-32018-01
5
Managing High Availability
High Availability Configuration Properties
User Guide for ASA CX and Cisco Prime Security Manager 9.3
6
OL-32018-01