Understanding Failover
Failover lets you configure two identical security appliances such that one will take over firewall operations if the other fails. Using a pair of security appliances, you can provide high system availability without operator intervention.
The linked security appliances communicate failover information over a dedicated link. This failover link can be either a LAN-based connection or, on PIX security appliances, a dedicated serial failover cable. The following information is communicated over the failover link:
-
Current failover state (active or standby)
-
“Hello” messages (also called “keep-alives”)
-
Network link status
-
MAC address exchange
-
Configuration replication
-
Per-connection state information, in the case of Stateful failover
Caution |
All information sent over the failover link is sent in clear text unless you secure the communication with a failover key. If the security appliance is used to terminate VPN tunnels, this information includes any user names, passwords, and preshared keys used for establishing the tunnels. Transmitting this sensitive data in clear text could pose a significant security risk. We recommend securing failover communications with a failover key, particularly if you are using the security appliance to terminate VPN tunnels. |
Cisco security appliances support two types of failover:
-
Active/Standby – The active security appliance inspects all network traffic, while the standby security appliance remains idle until a failure occurs on the active appliance. Changes to the configuration of the active security appliance are transmitted over the failover link to the standby security appliance.
When failover occurs, the standby security appliance becomes the active unit, and it assumes the IP and MAC addresses of the previously active unit. Because other devices on the network do not see any changes in the IP or MAC addresses, ARP entries do not change or time-out anywhere on the network.
Active/Standby failover is available to security appliances operating in single- or multiple-context mode. In single-context mode, only Active/Standby failover is available, and all failover configuration is by means of the Failover page.
Note |
When using Active/Standby failover, you must make all configuration changes on the active unit. The active unit automatically replicates the changes to the standby unit. The standby unit should not be imported or added to the Security Manager device list. Also, you must manually copy the authentication certificate from the active device to the standby device. See Additional Steps for an Active/Standby Failover Configuration for additional information. |
-
Active/Active – Both security appliances inspect network traffic by alternating their roles—such that one is active and one is standby—on a per context basis. This means Active/Active failover is available only on security appliances operating in multiple-context mode.
However, Active/Active failover is not required in multiple-context mode. That is, on a device operating in multiple-context mode, you can configure Active/Standby or Active/Active failover. In either case, you provide system-level failover settings in the system context, and context-level failover settings in the individual security contexts.
See Active/Active Failover for additional information about this topic.
In addition, failover can be stateless or stateful:
-
Stateless – Also referred to as “regular” failover. With stateless failover, all active connections are dropped when failover occurs. Clients need to re-establish connections when the new active unit takes over.
-
Stateful – The active unit in the failover pair continually passes per-connection state information to the standby unit. When failover occurs, the same connection information is available on the new active unit. Supported end-user applications are not required to reconnect to maintain the current communication session.
See Stateful Failover for more information.
Related Topics
Active/Active Failover
Active/Active failover is available only on security appliances operating in multiple-context mode. In an Active/Active failover configuration, both security appliances inspect network traffic, on a per-context basis. That is, for each context, one of the appliances is the active device, while the other is the standby device.
The active and standby roles are assigned over the complete set of security contexts, more or less arbitrarily.
To enable Active/Active failover on the security appliance, you must assign the security contexts to one of two failover groups. A failover group is a simply a logical group of one or more security contexts. You should specify failover group assignments on the unit that will have failover group 1 in the active state. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default.
As in Active/Standby failover, each unit in an Active/Active failover pair is given a primary or secondary designation. Unlike Active/Standby failover, this designation does not indicate which unit is active when both units start simultaneously. Each failover group in the configuration is given a primary or secondary role preference. This preference determines the unit on which the contexts in the failover group appear in the active state when both units start simultaneously. You can have both failover groups be in the active state on a single unit in the pair, with the other unit containing the failover groups in the standby state. However, a more typical configuration is to assign each failover group a different role preference to make each one active on a different unit, balancing the traffic across the devices.
Note |
To reliably manage security contexts in Active/Active failover mode, Cisco Security Manager requires an IP address for the management interface of each context so that it can communicate directly with the active security context of a failover pair. |
Initial configuration synchronization occurs when one or both units start. This synchronization occurs as follows:
-
When both units start simultaneously, the configuration is synchronized from the primary unit to the secondary unit.
-
When one unit starts while the other unit is already active, the unit that is starting up receives the configuration from the already active unit.
After both units are running, commands are replicated from one unit to the other as follows:
-
Commands entered within a security context are replicated from the unit on which the security context is in the active state to the peer unit.
Note |
A context is considered in the active state on a unit if the failover group to which it belongs is in the active state on that unit. |
-
Commands entered in the system execution space are replicated from the unit on which failover group 1 is in the active state to the unit on which failover group 1 is in the standby state.
-
Commands entered in the admin context are replicated from the unit on which failover group 1 is in the active state to the unit on which failover group 1 is in the standby state.
Failure to enter the commands on the appropriate unit for command replication to occur will cause the configurations to be out of synchronization. Those changes may be lost the next time the initial configuration synchronization occurs.
Note |
When bootstrapping the peer devices in an Active/Active Failover configuration, the bootstrap configurations are only applied to the system contexts of the respective failover peer devices. |
In an Active/Active failover configuration, failover occurs on a failover group basis, not a system basis. For example, if you designate both failover groups as active on the primary unit, and failover group 1 fails, failover group 2 remains active on the primary unit, while failover group 1 becomes active on the secondary unit.
Note |
When configuring Active/Active failover, make sure that the combined traffic for both units is within the capacity of each unit. |
Stateful Failover
Note |
Stateful failover is not supported on the ASA 5505 appliance. |
When stateful failover is enabled, the active unit in the failover pair continually updates the current connection-state information on the standby unit. When failover occurs, supported end-user applications are not required to reconnect to maintain the current communication session.
Note |
The IP and MAC addresses for the state and LAN failover links do not change at failover. |
To employ stateful failover, you must configure a link to pass all state information to the standby unit. If you are using a LAN failover connection rather than the serial failover interface (which is available only on the PIX platform), you can use the same interface for the state link and the failover link. However, we recommend that you use a dedicated interface for passing state information to the standby unit.
The following information is passed to the standby unit when stateful failover is enabled:
-
NAT translation table
-
TCP connection table (except for HTTP), including the timeout connection
-
HTTP connection states (if HTTP replication is enabled)
-
H.323, SIP and MGCP UDP media connections
-
The system clock
-
The ISAKMP and IPsec SA table
The following information is not copied to the standby unit when stateful failover is enabled:
-
HTTP connection table (unless HTTP replication is enabled)
-
The user authentication (UAUTH) table
-
The ARP table
-
Routing tables