The state of the failover connection detects the failure of the active ASAv. Typically the listen port and the connect port are the same, unless your configuration requires some type of network address translation between the ASAv units. The backup ASAv connects to the active ASAv using connect port. The active ASAv acts as a connection server by opening a listen port. The backup ASAv monitors the health of the active ASAv using a failover connection established over TCP: Same time (and are of equal operational health). The primary unit always becomes the active unit if both units start up at the Is to monitor the health of the primary unit. To Load Balancer probes and programs any configured routes to use it as a route destination. Although both units are capable of passing traffic, only the primary unit responds Namely which unit actively passes traffic. The main differences between the two units in a failover pair are related to which unit is active and which unit is backup, Two units act as two separate devices for device and policy configuration, as well as for events, dashboards, reports, and When setting up Active/Backup failover, you configure one unit to be primary and the other as secondary. Primary/Secondary Roles and Active/Backup Status When the active unit fails, it changes to the backup state while the backup Take over the functionality of a failed unit. Active/Backup failover lets you use a backup ASAv device to Or exchange any configuration information with the active unit. The backup unit does not actively pass traffic In Active/Backup failover, one unit is the active unit. Primary/Secondary Roles and Active/Backup Status.The failover time can vary from a few seconds to over a minute depending on the responsiveness If thoseĬonditions are met, failover occurs. The health of the active unit is monitored by the backup unit to determine if specific failover conditions are met. For this reason, an HA configuration in the publicĬloud requires ongoing connections be restarted when failover happens. Public cloud environments do not allow broadcast traffic of this nature.
Where the backup ASA sends out a gratuitous ARP indicating it is now associated with the active IP and MAC addresses. On the physical ASA and the non-public cloud virtual ASA, the system handles failover conditions using gratuitous ARP requests HA peer, and performs actions based on its HA role. HA Agent-A lightweight process that runs on the ASAv and determines the HA role (active/backup) of an ASAv, detects failures of its It is referred to as a Backup rather than a Standby because it is does not take on the identify of its peer The following list describes the primary components in the HA public cloud solution:Īctive ASAv-The ASAv in the HA pair that is set up to handle the firewall traffic for the HA peers.īackup ASAv-The ASAv in the HA pair that is not handling firewall traffic and takes over as the active ASAv in the event of an activeĪSAv failure. HA in the public cloud implements a stateless Active/Backup solution that allows for a failure of the active ASAv to triggerĪn automatic failover of the system to the backup ASAv. To ensure redundancy, you can deploy the ASAv in a public cloud environment in an Active/Backup high availability (HA) configuration.
Licensing for Failover in the Public Cloud.
This chapter describes how to configure Active/Backup failover toĪccomplish high availability of the Cisco ASAv in a public cloud environment, such as