Active/Active Failover

Overview#

Active/Active failover allows both ASA units to process traffic simultaneously by leveraging multiple security contexts. Each failover group (containing one or more contexts) can be assigned as active on a different unit, distributing the traffic load across both firewalls.

Unlike Active/Standby, where one unit sits idle until a failure occurs, Active/Active makes use of both units under normal operation. If one unit fails, the surviving unit takes over all failover groups.

Key concepts:

• Requires multiple context mode
• Traffic distribution is done through failover groups — each group can be active on a different unit
• The admin context is always part of failover group 1
• Each context is assigned to a failover group
• monitor-interface is configured inside each context to track interface health
• mac-address auto should be configured to ensure consistent MAC addresses after failover
• All configuration is done on ASA1 (primary) — ASA2 only needs basic failover config and will pull the rest automatically

Video Walkthrough#

Video coming soon.

Prerequisites#

• Both ASA units must have identical hardware, modules, and software version
• Both units must be in multiple context mode (mode multiple)
• Same firewall mode per context (routed or transparent)
• A dedicated failover link (LAN-based failover recommended)
• Optional: dedicated state link for stateful failover

Configuration Steps (CLI)#

All configuration below is done on ASA1 (primary) unless otherwise stated. ASA2 will receive the full configuration automatically once failover is enabled.

1. Enable Multiple Context Mode#

If not already in multi-context mode:

ASA1(config)# mode multiple

The ASA will reboot. After reboot, you’ll be in the system context.

2. Create Security Contexts#

From the system context:

ASA1(config)# context CTX1
ASA1(config-ctx)# allocate-interface GigabitEthernet0/0
ASA1(config-ctx)# allocate-interface GigabitEthernet0/1
ASA1(config-ctx)# config-url disk0:/CTX1.cfg

ASA1(config)# context CTX2
ASA1(config-ctx)# allocate-interface GigabitEthernet0/4
ASA1(config-ctx)# allocate-interface GigabitEthernet0/5
ASA1(config-ctx)# config-url disk0:/CTX2.cfg

3. Configure Failover Groups#

Assign each context to a failover group. Failover group 1 always contains the admin context.

ASA1(config)# failover group 1
ASA1(cfg-fover-group)# primary
ASA1(cfg-fover-group)# preempt

ASA1(config)# failover group 2
ASA1(cfg-fover-group)# secondary
ASA1(cfg-fover-group)# preempt

With this configuration:

• Failover group 1 prefers ASA1 (primary)
• Failover group 2 prefers ASA2 (secondary)
• preempt ensures each group returns to its preferred unit after a failure recovery

4. Assign Contexts to Failover Groups#

ASA1(config)# context CTX1
ASA1(config-ctx)# join-failover-group 1

ASA1(config)# context CTX2
ASA1(config-ctx)# join-failover-group 2

The admin context is automatically part of failover group 1 and cannot be reassigned.

5. Configure the Failover LAN Interface#

ASA1(config)# interface GigabitEthernet0/3
ASA1(config-if)# no shutdown

ASA1(config)# failover lan unit primary
ASA1(config)# failover lan interface folink GigabitEthernet0/3
ASA1(config)# failover interface ip folink 10.0.0.1 255.255.255.252 standby 10.0.0.2

6. Configure the State Link (Optional but Recommended)#

Using the same interface as the failover link:

ASA1(config)# failover link folink GigabitEthernet0/3

Or using a dedicated interface:

ASA1(config)# failover link statelink GigabitEthernet0/4
ASA1(config-if)# no shutdown
ASA1(config)# failover interface ip statelink 10.0.1.1 255.255.255.252 standby 10.0.1.2

7. Configure MAC Address Auto-Generation#

This generates unique virtual MAC addresses for each failover group. During failover, the virtual MAC address moves with the active role, ensuring connected devices don’t experience ARP disruptions:

ASA1(config)# mac-address auto

Without this, the ASA uses its burned-in physical MAC addresses. After a failover, the new active unit would have a different MAC address, causing traffic disruption until upstream switches and routers update their ARP/CAM tables.

8. Configure Monitor-Interface Inside Each Context#

Switch into each context and enable interface monitoring. This tells the ASA which interfaces to track for failover decisions.

ASA1(config)# changeto context CTX1
ASA1/CTX1(config)# monitor-interface inside
ASA1/CTX1(config)# monitor-interface outside

ASA1/CTX1(config)# changeto context CTX2
ASA1/CTX2(config)# monitor-interface inside
ASA1/CTX2(config)# monitor-interface outside

If a monitored interface fails, the failover group for that context will switch to the other unit.

9. Enable Failover on ASA1#

ASA1(config)# failover

10. Configure ASA2 (Secondary)#

On ASA2, the configuration is minimal. ASA2 must already be in multiple context mode (mode multiple). From the system context:

ASA2(config)# interface GigabitEthernet0/3
ASA2(config-if)# no shutdown

ASA2(config)# failover lan unit secondary
ASA2(config)# failover lan interface folink GigabitEthernet0/3
ASA2(config)# failover interface ip folink 10.0.0.1 255.255.255.252 standby 10.0.0.2
ASA2(config)# failover

Once failover is enabled on ASA2, it will sync the full configuration (contexts, failover groups, interfaces, and all context configs) from ASA1 automatically.

11. Verify Failover Status#

ASA2# show failover
ASA2# show failover state
ASA2# show failover group 1
ASA2# show failover group 2

Expected output should show:

• Failover group 1 active on ASA1
• Failover group 2 active on ASA2
• Both units in “Normal” state

Configuration Steps (ASDM)#

Screenshots and ASDM walkthrough coming soon.