Most ASA appliances can be configured in high-availability pairs, provided that both ASAs in the pair have identical hardware specs. There are two ways to configure ASAs for failover: active/standby and active/active. In active/standby configuration, should the primary ASA fail, the secondary will take over. In an active/active standby configuration, both ASAs can forward traffic, but, as you’ll see, that’s not necessarily as exciting as it sounds.

To use this feature, the ASA must be licensed for it, though currently all models 5520 and higher come with the feature. To determine whether an ASA is capable of supporting failover, use the show version command:

ASA-5540# sho version | begin Licensed
Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 200
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Security Contexts            : 10
GTP/GPRS                     : Disabled
VPN Peers                    : 5000
WebVPN Peers                 : 2
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions            : 2

To be installed as a failover pair, each ASA must have the same software release installed, though minor differences are tolerated and will be indicated with a warning such as this:

************WARNING****WARNING****WARNING******************************** Mate version 8.0(3) is not identical with ours 8.0(4) ************WARNING****WARNING****WARNING********************************* Beginning ...

Get Network Warrior, 2nd Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.