# Active/Active Failover ## Overview Active/Active failover allows both ASA units to process traffic simultaneously by leveraging multiple security contexts. Each failover group (containing one or more contexts) can be assigned as active on a different unit, distributing the traffic load across both firewalls. Unlike Active/Standby, where one unit sits idle until a failure occurs, Active/Active makes use of both units under normal operation. If one unit fails, the surviving unit takes over all failover groups. **Key concepts:** - Requires **multiple context mode** - Traffic distribution is done through **failover groups** — each group can be active on a different unit - The **admin context** is always part of failover group 1 - Each context is assigned to a failover group - `monitor-interface` is configured **inside each context** to track interface health - `mac-address auto` should be configured to ensure consistent MAC addresses after failover - All configuration is done on **ASA1 (primary)** — ASA2 only needs basic failover config and will pull the rest automatically ## Video Walkthrough *Video coming soon.* ## Prerequisites - Both ASA units must have identical hardware, modules, and software version - Both units must be in **multiple context mode** (`mode multiple`) - Same firewall mode per context (routed or transparent) - A dedicated failover link (LAN-based failover recommended) - Optional: dedicated state link for stateful failover ## Configuration Steps (CLI) All configuration below is done on **ASA1 (primary)** unless otherwise stated. ASA2 will receive the full configuration automatically once failover is enabled. ### 1. Enable Multiple Context Mode If not already in multi-context mode: ```text ASA1(config)# mode multiple ``` The ASA will reboot. After reboot, you'll be in the **system context**. ### 2. Create Security Contexts From the system context: ```text ASA1(config)# context CTX1 ASA1(config-ctx)# allocate-interface GigabitEthernet0/0 ASA1(config-ctx)# allocate-interface GigabitEthernet0/1 ASA1(config-ctx)# config-url disk0:/CTX1.cfg ASA1(config)# context CTX2 ASA1(config-ctx)# allocate-interface GigabitEthernet0/4 ASA1(config-ctx)# allocate-interface GigabitEthernet0/5 ASA1(config-ctx)# config-url disk0:/CTX2.cfg ``` ### 3. Configure Failover Groups Assign each context to a failover group. Failover group 1 always contains the admin context. ```text ASA1(config)# failover group 1 ASA1(cfg-fover-group)# primary ASA1(cfg-fover-group)# preempt ASA1(config)# failover group 2 ASA1(cfg-fover-group)# secondary ASA1(cfg-fover-group)# preempt ``` With this configuration: - **Failover group 1** prefers ASA1 (primary) - **Failover group 2** prefers ASA2 (secondary) - `preempt` ensures each group returns to its preferred unit after a failure recovery ### 4. Assign Contexts to Failover Groups ```text ASA1(config)# context CTX1 ASA1(config-ctx)# join-failover-group 1 ASA1(config)# context CTX2 ASA1(config-ctx)# join-failover-group 2 ``` The admin context is automatically part of failover group 1 and cannot be reassigned. ### 5. Configure the Failover LAN Interface ```text ASA1(config)# interface GigabitEthernet0/3 ASA1(config-if)# no shutdown ASA1(config)# failover lan unit primary ASA1(config)# failover lan interface folink GigabitEthernet0/3 ASA1(config)# failover interface ip folink 10.0.0.1 255.255.255.252 standby 10.0.0.2 ``` ### 6. Configure the State Link (Optional but Recommended) Using the same interface as the failover link: ```text ASA1(config)# failover link folink GigabitEthernet0/3 ``` Or using a dedicated interface: ```text ASA1(config)# failover link statelink GigabitEthernet0/4 ASA1(config-if)# no shutdown ASA1(config)# failover interface ip statelink 10.0.1.1 255.255.255.252 standby 10.0.1.2 ``` ### 7. Configure MAC Address Auto-Generation This generates unique virtual MAC addresses for each failover group. During failover, the virtual MAC address moves with the active role, ensuring connected devices don't experience ARP disruptions: ```text ASA1(config)# mac-address auto ``` Without this, the ASA uses its burned-in physical MAC addresses. After a failover, the new active unit would have a different MAC address, causing traffic disruption until upstream switches and routers update their ARP/CAM tables. ### 8. Configure Monitor-Interface Inside Each Context Switch into each context and enable interface monitoring. This tells the ASA which interfaces to track for failover decisions. ```text ASA1(config)# changeto context CTX1 ASA1/CTX1(config)# monitor-interface inside ASA1/CTX1(config)# monitor-interface outside ASA1/CTX1(config)# changeto context CTX2 ASA1/CTX2(config)# monitor-interface inside ASA1/CTX2(config)# monitor-interface outside ``` If a monitored interface fails, the failover group for that context will switch to the other unit. ### 9. Enable Failover on ASA1 ```text ASA1(config)# failover ``` ### 10. Configure ASA2 (Secondary) On ASA2, the configuration is minimal. ASA2 must already be in **multiple context mode** (`mode multiple`). From the system context: ```text ASA2(config)# interface GigabitEthernet0/3 ASA2(config-if)# no shutdown ASA2(config)# failover lan unit secondary ASA2(config)# failover lan interface folink GigabitEthernet0/3 ASA2(config)# failover interface ip folink 10.0.0.1 255.255.255.252 standby 10.0.0.2 ASA2(config)# failover ``` Once failover is enabled on ASA2, it will sync the full configuration (contexts, failover groups, interfaces, and all context configs) from ASA1 automatically. ### 11. Verify Failover Status ```text ASA2# show failover ASA2# show failover state ASA2# show failover group 1 ASA2# show failover group 2 ``` Expected output should show: - **Failover group 1** active on ASA1 - **Failover group 2** active on ASA2 - Both units in "Normal" state ## Configuration Steps (ASDM) *Screenshots and ASDM walkthrough coming soon.*