, , ,

When stateful failover is enabled, the active unit continually passes per-connection state information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. Supported end-user applications are not required to reconnect to keep the same communication session.


The state information passed to the standby unit includes these:

  • The NAT translation table
  • The TCP connection states
  • The UDP connection states
  • The ARP table
  • The Layer 2 bridge table (when it runs in the transparent firewall mode)
  • The HTTP connection states (if HTTP replication is enabled)
  • The ISAKMP and IPSec SA table
  • The GTP PDP connection database

The information that is not passed to the standby unit when stateful failover is enabled includes these:

  • The HTTP connection table (unless HTTP replication is enabled)
  • The user authentication (uauth) table
  • The routing tables
  • State information for security service modules

If failover occurs within an active Cisco IP SoftPhone session, the call remains active because the call session state information is replicated to the standby unit. When the call is terminated, the IP SoftPhone client loses connection with the Call Manager. This occurs because there is no session information for the CTIQBE hang-up message on the standby unit. When the IP SoftPhone client does not receive a response back from the Call Manager within a certain time period, it considers the Call Manager unreachable and unregisters itself.

After all this replication happens the ASA assume the active ip address and send a gratuitous arp to the devices on the network so they can update their ARP entries.           gratuitous ARP injected by ASA to other connected Device. But the best solution to implement failover is to use a virtual mac address, if you will use the Virtual mac address for failover then the ARP entries will not get changed and there will be no timeout anywhere on the network. If you are not using the virtual mac address then if failover occurs in that case the arp entries will be changed and when the new device takes over the active state then it will send the gratuitous arp.



If you feel this article helped you to get some learning, please support by clicking below.