Cisco ASA Firewall Active / Standby Failover

Hi Rene,

if configuration on ASA1 is:

ASA1(config)# failover interface ip FAILOVER standby

shouldn’t configuration on ASA2 be:

ASA2(config)# failover interface ip FAILOVER standby ?

Hello Aleksejs

When you configure the Active/Standby failover on ASA devices, you must choose one device top be the primary and one to be the standby. In this case Rene has chosen ASA1 as the primary and ASA2 as the standby. These configurations must be the same in both devices. That is, the IP address of the primary device must be the same (ASA1 with an IP address of and that of the standby device must also be the same (ASA2 with an IP address of This is why the command uses the same addresses as primary and standby.

I hope this has been helpful!


Hi Rene,
I read ASA topic already but i have confuse about something:

  • Which benefit when using between PIX and ASA
  • Which is diferrent or enhement or improment when using ASA with New Generation Firewall ( etc Sophos XG , Palo Alto …)
  • And If ASA combined with CSC-SSM or Firepower is best practise ? Could you take a look and tek a tourial about ASA with extended modules that ?

Hello Nguyen

The Cisco PIX was an older firewall and NAT appliance that Cisco had, but its end of sale was announced in 2008. The Cisco ASA which was introduced in 2005 replaced the PIX and is now the standard firewall appliance Cisco provides.

The term Next Generation Firewall is used for all firewalls including the ASA, as well as Sophos, Palo Alto, PFSense, and others, to describe today’s advanced firewall technology that combines traditional firewall functionality with advanced algorithms including deep packet inspection, and IPS. So all of these devices and products are capable of Next Generation Firewall capabilities. Now which one is best? How do they compare? It’s not for us to say here, but you can definitely find reviews and personal testimonies of people who have used them. Some are better for some purposes, and not for others, but it all comes down to personal experience.

As for the use of the CSC-SSM module or firepower, and best practices, if you would like a lesson written about these, then you can always go to the Member Ideas page and post your suggestions there:

I hope this has been helpful!


Thank Laz,

I just suggest !!! Now have matrix of NGF , hope will know clearly and choose the best solution for business.

1 Like


I need to ensure LAN users on have ISP redundancy/load-balancing where internet connection is going through HA firewalls. The firewalls are connected to router CE1 and CE2, which are then connected to ISP PE1 router and ISP PE2 router respectively via BGP.

How can I ensure LAN users are able to access to the internet without redistributing into BGP? Thanks in advanced!

Hello Kenneth

Typically, firewalls denote the edge of the enterprise network. As such, we usually have NAT running on them in order to allow internal devices to access external destinations. By adding NAT here, you can achieve what you want.

However, if we don’t use NAT, then you will somehow have to let the BGP AS 100 know how to get to the internal IP addresses of the subnet in question. There’s no way to avoid this.

In such scenarios, we usually have ISPs using public IP addresses, and the firewalls denoting the border between the public Internet and the private internal network. This is the most common situation, and is the method by which you can keep the internal addresses from being advertised.

I hope this has been helpful!


Hi Lazaros,

The idea is not to advertise or redistribute routes of specific internal LAN subnets (e.g. to the ISPs. I figured out that the CE routers can advertised

  1. BGP default route to the PE routers
  2. IGP (e.g. OSPF) default route to the firewalls

I tried BGP Multipath load sharing, not sure why am I not seeing the alternate path ‘m’ when I run show ip bgp

CE_Router1 & CE Router2
(config)#router bgp 100
(config-router)#maximum-paths 2

Hello Kenneth

Based on your configuration, you are trying to configure multiple paths via iBGP, since you are configuring it in the same AS as that which the CE routers are in. For this to function you are required to include the ibgp keyword in the command. Specifically:

(config-router)#maximum-paths ibgp 2

Take a look at this lesson that details BGP multipath load sharing:

I hope this has been helpful!


Hi Laz,

I am trying to allow iBGP multiple path towards the CE routers and ebgp towards its directly connected PE router.
Both commands below don’t seems work
CE Router1 & CE Router2
(config-router)#maximum-paths ibgp 2
(config-router)#maximum-paths 2

Hello Kenneth

Understood. There are many things that can be causing this. I will give you a couple of scenarios below to help you in the troubleshooting process:

  1. You must verify that the following attributes for both paths that you want to implement equal cost load balancing are THE SAME:
    1- Weight
    2- Local Preference.
    3- Shortest As Path.
    4- MED Value
    5- Origin Code
    Load balancing will occur ONLY IF all of the above are the same for the same destination network.
  2. Another issue that you might be facing is the fact that some routes are being learned from two different ISPs. For such situations, Cisco states the following:

When BGP multi-pathing is enabled, BGP load-balances user traffic within a single autonomous system (AS). The criteria are that all attributes must match (weight, AS path, etc). However when a device is multi-homed to multiple autonomous systems, BGP cannot load balance traffic between them by default. In order to enable load-balancing of traffic among the multi-homed autonomous systems, the bgp bestpath as-path multipath-relax command needs to be enabled. The criteria required for this is that the AS-path length should be equal.

This is taken from the following link:

I hope this helps you in your troubleshooting efforts.


1 Like

Can we have an existing ASA 5525 (or any ASA Firewall) with a running configuration on it, and then introduce the failover configuration at a later stage along-with the standby unit ? This is off-course assuming that the second firewall is of the same model and IOS version etc.

I am looking to cluster a standalone firewall by introducing a second unit and am not sure if the above approach is feasible on an already configured and existing ASA ?

Hello Nishesh

Yes this is a feasible scenario. As long as the prerequisites are met for the second ASA (as stated in the following lesson) then you can implement this.

You just have to keep in mind that it’s not always easy to adjust an existing config of a running device to conform to an Active/Standby situation. It’s not impossible, but it may be tricky. You may have a lot of config parameters that have been added over time that may get in the way of the final state that you desire between the two devices. Depending on how you approach it, you may want to take some time to design the configs of both the Active and Standby devices from before and do a trial run during a maintenance window and see how things go. Sometimes it’s easier to begin configuration from scratch in such cases, but you’ll have to decided what works best for you.

I hope this has been helpful!


Is the ASA doesn’t support Active/Active ?

Hello Pichai

Actually, the ASA can be configured in an Active/Active failover arrangement. There is not yet a lesson for this, but it may be added in the future. More information about it can be found at the following Cisco documentation:

I hope this has been helpful!


Hi all,
we have a pair of 2130s in ASA mode (Active/Standby). Does anyone know how to enable FIPS in order on the 2130s? Do I need to enable FIPS on each individual firepower and reboot it under FXOS mode?

Thank you.

Hello Lee,

The same FIPS mode is a requirement for failover so I think you’ll need to enable FIPS on each individual firepower and reboot them.


Hi Rene,
After enabled FIPS on the ASA firewall the IPSec tunnel (ikev1) is broken. Could you please give me some advice? I read some cisco doc and it’s stating that i need to change it ikev2 which can increase the group greater than 5.
Also, i have another question for you please. How do I configure redistribute BGP into EIGRP with multiple specific ip addresses from customers on the Internet that we want to connect to?


Hello Lee

Yes, this behaviour is expected. It is true that enabling FIPS mode on the ASA, it requires DH keys of 2048 bits or larger, which is something that IKEv1 does not support. For this reason, IKEv2 must be used with a DH key size of at least 2048 bits. Note that this is done based on FIPS certification compliance 140-2 of the ASA as part of the update in ASA 9.4(1) and later. More on this can be found at the following link:

In order to redistribute routes from BGP to EIGRP, you must use the redistribute command either under the router bgp configuration mode or under the address family mode. More on mutual redistribution between BGP and EIGRP can be found here:

Now if you want to redistribute only particular prefixes rather than all available BGP routes, then you can use the redistribute command with the appropriate route map that will filter out the particular prefixes you want. You can find more information about how to do this in the Cisco command reference for this command:

I hope this has been helpful!


Hello Laz,
Thank you for your email. I don’t know how to change/modify DH key size of at least 2048 bits on the ASA firewall, please advise. however, I did create an ikev2 policy below with DH group 14 and i tested it but phase 1 is not up… of course the remote side has changed the same too.

crypto ikev2 policy 10
encryption aes-256
integrity sha256 sha
group 14
prf sha
lifetime seconds 86400
crypto ikev2 enable Internet