Active/Standby Failover High availability configuration Cisco ASA

Get 30% off with: You can use promo code: OSCAROGANDO2
Follow Me on Twitter:

Failover: Everything needs to match between the ASA.
You can achieve two types of failover configuration with the ASA: active/active and active/standby.


Allows for a much greater percentage of available resources for deployment. However, active/active configuration does not provide any support for any type of VPN deployment because the ASA needs to run in Multiple Context mode. So, no further time is spent looking at this option, although it is good to know it exists.


ASA device is active and passing/inspecting traffic while
the other is in standby, monitoring the state of the other until the time comes when it must take an active role. You have two configuration options when using active/standby failover:


Stateful configuration allows existing VPN sessions and tunnels to stay
up even when a failover has occurred and the connecting clients and sites are now
entering through the previous standby device. The current connection “states” are
synchronized between devices across a dedicated stateful connection between the
two ASAs or by using the existing failover interfaces. The following clientless SSL
VPN objects are not supported with stateful failover:
■ Smart tunnels
■ Port forwarding
■ Plug-ins
■ Java applets
■ IPv6 clientless or AnyConnect sessions
■ Citrix authentication (Citrix users are required to authentication after a failover.)

Stateless configuration supports HA in as much as during a failover the
standby device assumes the active role. It does not support any stateful behavior,
meaning all sessions and connections have to be reestablished after a failover has

Share the Post:

Related Posts

Help Us By Donating