Troubleshooting Failover on the ASA

When troubleshooting failover on an ASA, there are a couple of spots to pay attention too. However we first need to understand how failover works. This post will cover active/passive failover only. There are no special dependencies with failover, like lowest MAC address is active, etc. It’s all about the configuration. Here’s a config I use-

On the ASA I want as PRIMARY

On the ASA I want as SECONDARY

The terminology is important here. When we set on unit to primary, it is always primary. The roles of primary and secondary never change! What does change is their role of Active and Standby. The Active role is the current active firewall that is performing firewall duties. The standby is waiting to take over if somethings happens to the active. It’s also important to note that failover is not preemptive. If you have an outage and want a certain firewall to be active, then you must set it that way.

The first command in troubleshooting is show failover. This will show us the status and roles and where they are assigned.

First check that the failover interface is up (see yellow highlighted text). Next we check to see which firewall is active. In the example above the Primary firewall is active. When everything is working properly this is how it should look. Now lets look at a firewall that has failed over to the Secondary firewall.

We can see now that the Secondary firewall is now acting as the active firewall. Lets investigate and see why. That takes us to our second troubleshooting command, show failover history.

In this particular case the service card failed (Sourcfire) which triggered a failover event to occur. These are really the only two commands you need for troubleshooting. You may have noticed that none of the interfaces on this failover pair are being monitored (triggers for failover). The Primary and Secondary ASA’s both plug into the same single physical switch. Since they do there is no point in monitoring and in fact it’s best if you don’t, otherwise you will get both firewalls wanting to be standby! One last thing….let’s fail the failover back so the Primary ASA is also the Active. We do that with the “no failover active” command. The command may seem a backwards, but remember it like this. You are on the active ASA and we do not want this ASA to be active so instead of setting it to active, we “no” the command meaning I do not want this ASA to be the active firewall.

Here is the full config for failover-



Leave a Reply