Primary/secondary status and active/standby status – Cisco ASA 5505 User Manual
Page 1308
 
62-2
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 62 Configuring Active/Standby Failover
Information About Active/Standby Failover
Note
For multiple context mode, the ASA can fail over the entire unit (including all contexts) but cannot fail 
over individual contexts separately.
Primary/Secondary Status and Active/Standby Status
The main differences between the two units in a failover pair are related to which unit is active and which 
unit is standby, namely which IP addresses to use and which unit actively passes traffic.
However, a few differences exist between the units based on which unit is primary (as specified in the 
configuration) and which unit is secondary:
•
The primary unit always becomes the active unit if both units start up at the same time (and are of 
equal operational health).
•
The primary unit MAC addresses are always coupled with the active IP addresses. The exception to 
this rule occurs when the secondary unit is active and cannot obtain the primary unit MAC addresses 
over the failover link. In this case, the secondary unit MAC addresses are used. 
Device Initialization and Configuration Synchronization
Configuration synchronization occurs when one or both devices in the failover pair boot. Configurations 
are always synchronized from the active unit to the standby unit. When the standby unit completes its 
initial startup, it clears its running configuration (except for the failover commands needed to 
communicate with the active unit), and the active unit sends its entire configuration to the standby unit. 
The active unit is determined by the following:
•
If a unit boots and detects a peer already running as active, it becomes the standby unit.
•
If a unit boots and does not detect a peer, it becomes the active unit.
•
If both units boot simultaneously, then the primary unit becomes the active unit, and the secondary 
unit becomes the standby unit.
Note
If the secondary unit boots without detecting the primary unit, it becomes the active unit. It uses its own 
MAC addresses for the active IP addresses. However, when the primary unit becomes available, the 
secondary unit changes the MAC addresses to those of the primary unit, which can cause an interruption 
in your network traffic. To avoid this, configure the failover pair with virtual MAC addresses. See the 
“Configuring Virtual MAC Addresses” section on page 62-15
for more information.
When the replication starts, the ASA console on the active unit displays the message “Beginning 
configuration replication: Sending to mate,” and when it is complete, the ASA displays the message 
“End Configuration Replication to mate.” During replication, commands entered on the active unit may 
not replicate properly to the standby unit, and commands entered on the standby unit may be overwritten 
by the configuration being replicated from the active unit. Avoid entering commands on either unit in 
the failover pair during the configuration replication process. Depending upon the size of the 
configuration, replication can take from a few seconds to several minutes.
Note
The crypto ca server command and related sub commands are not synchronized to the failover peer.