I use Google Analytics to track the 2 or 3 hits I get a day, and sometimes I see some interesting search terms. Yesterday, some googled up the term “does the ASA 5505 run HSRP”; I think that deserves a short article.

The ASA and PIX firewalls don’t actually run any of the usual HA solutions you use on routers. They don’t do HSPR, VRRP, or GLBP at all. Since firewalls have all sorts of state tables, connection tables, translation tables, blah, blah, blah, they need to share more information than just if they’re alive or not, so they use different methods to provide HA.

Cisco uses two different methods to handle this issue – a failover cable or a failover interface.  On a PIX (above the 501s and 506s), you’ll see a DB-15 interface labelled…wait for it…”failover”.  When a very expensive Cisco cable is placed between the failover ports of two PIXes, the boxes do some election stuff over it and decide on an active and a standby state for each (it does all sorts of stuff, but I won’t go into it).  The other method is basically the same, but, instead of an expensive, proprietary Cisco cable, it uses one of the interfaces to connect the two.  You basically connect a crossover cable between two of them, do some configuration, and we’re good.   The ASA doesn’t come with a failover cable so it uses the interface method, but you need a license for that (imagine that).

Just for the record, if an ASA or PIX becomes the active member of the cluster, it takes over both the IP and MAC address of the primary.  There’s no election and configuration of a standby address.  The use of the real addresses, along with the constant sync of the state data, means a very fast and seamless failover.  I actually SSHed through an FWSM (think of it as a PIX on a blade) and pulled the power plugs from it; I actually only lost one packet.

Aaron Conaway

I shake my head around sometimes and see what falls out. That's what lands on these pages. If you have any questions, the best way to contact me is through Twitter at @aconaway.

More Posts

Follow Me:

4 comments for “ASA + HSRP/VRRP/GLBP = undef

  1. June 28, 2011 at 6:20 am


    Man useful article.
    I am now taking challange of designing network where HA is required and I have to build two sites, where I need to put 2 ASAs per site.

    Take care

  2. January 8, 2013 at 9:50 pm

    I have; used brunch of FWSM(Checkpoint; juniper;asa and so one) best in Clustering in my opinion is Checkpoint .No need to waste money buying 2 ASAs per site ; it’s a waste of money if it’s for the purpose of complete redundancy .

  3. Den B
    February 12, 2013 at 1:21 am

    To “the boxes do some election stuff over it and decide..”, I clearly remember having a separate PIX515-something box, clearly labeled “STANDBY” in metal and during bootup in console. It also said in console something like this: “this is a standby unit. blah-blah-blah. main unit is not detected. blah-blah will not save configuration. will autoreboot in 24 hours” everytime it was not connected to the main unit. So, I think, at least for some boxes, the fate of election, if any in the case, was predetermined at the production line.

  4. May 8, 2014 at 11:27 am

    Den B, the role of the old PIX units was not set on the manufacturing line, but by license. The PIXs actually distinguished between a primary-licensed unit and the failover unit. The failover, as you noted, was severely limited (as that license was substantially cheaper than the primary licensing). It would reboot “approximately” every 24 hours, not save config, etc.

    The ASA line originally had to be licensed identically on each box. This made customers upset, especially when buying expensive AnyConnect Premium licenses that would sit unsed, but the up-shot was that it doesn’t matter in ASA-land whether you’re actually running on the “primary” or the “secondary”. You can run indefinitely on the secondary with no problem.

    More recently (in the 8.3 code) they added license stacking, where both failover members combine their licenses. They will cache the combined license for 30 days after the failover link is lost, to give you time to replace a dead mate and get the license re-hosted before reverting to the built-in license. This lets you buy only one set of complete licenses, and still survive on the “other” unit for a while. One gotcha I’ve hit is that the “stacked” license is lost if the surviving unit reboots. So if you take a power hit, and only one unit actually comes back on afterwards, it will come back up with only its on-box licenses. That can be a rude surprise.

    Great article, Aaron!

Leave a Reply

Your email address will not be published. Required fields are marked *