ASAs have a habit of automatically failing over quietly and efficiently without anybody knowing about it. Sometimes this occurs because an upstream/downstream device rebooted or a switch failed momentarily. What's annoying is that the firewall can failover without you knowing about it at all... sometimes you get stuck focusing on the other issue and never notice the firewalls are in a failed state. I've seen customers who have (thinking they were running on their primary firewall) rebooted their failover infrastructure to find they've caused a short outage to their network.
There are a few ways to find out when an ASA has failed-over without looking at the box or logging into it and doing a "show failover". Firstly you could invest in commercial software/etc... which most smaller companies can't afford to run/maintain ($$$). Open source options might appeal to those inclined. Another way to do this "cheaply" is to use the "logging mail" function which, when a syslog event matching a syslog ID list occurs, sends an email to a recipient with the logging event/s.
So which syslog IDs do you match? Well you have a few options here, you could run a few tests and see what log events occur OR you can find the ASA syslog event list for your ASA code version and figure out the syslog codes that are appropriate.
The table linked specifies HA events as starting with 101, 102, 103, 104, 210, 311, 709. It also says that error codes are between 100000-999999. As you're probably aware there are different "logging" levels that can be applied/viewed/etc... these are typically referenced as a number between 0 - 7 (where 0=Emergencies, 1=Alerts and 7=Debug). It turns out that 1xxxxx numbers are therefore the "Alert" (1) messages and likely the ones we want to see.
So if we matched 101xxx, 102xxx, 103xxx, 104xxx we'll probably see what we want to see. Further snooping/sniffing of alerts tells me that 105xxx is likely needed as well.
logging list SMTP-FAILOVER message 101000-101999Note: In the above you need a SMTP server configured/available for emailing to work.
logging list SMTP-FAILOVER message 102000-102999
logging list SMTP-FAILOVER message 103000-103999
logging list SMTP-FAILOVER message 104000-104999
logging list SMTP-FAILOVER message 105000-105999
logging mail SMTP-FAILOVER
logging from-address ASAFirewallAlarm@company.com.au
logging recipient-address SupportTeam@company.com.au level alerts
smtp-server 10.1.1.1
Hope it helps! Thanks for reading.
