ASA Standby ip necessary for Failover ?

Unanswered Question
Aug 7th, 2007


I've a question concerning failover. My problem is that my customer has only 2 adresses for the outside interface (with a mask). So we cannot configure a standby ip for this interface as the second ip is for the provider router. Is it possible to configure failover without a standby ip for the outside interface AND what are the impact of such a configuration? What could happenned ?

Should i deactivate the monitoring of this interface ?

Thanks a lot for your help.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
russ Sun, 08/19/2007 - 14:00

Use a mask for the outside interface instead. This will allow you to allocate a standby IP address outside the range of the IP addresses allocated by the ISP. The ISP doesn't care what mask you give to the FWs, they will still use a mask for their router. This should work because the standby IP is only used for sending/receiving standby hello packets between itself and the primary fw. Although the fw is using a mask, you'll still only be able to use the 2 addresses provided by the ISP for Internet connectivity.

russ Sun, 08/19/2007 - 14:17

Yes, I had a customer that had used up all of their available public IP addresses and it is also a waste to allocate a useable public IP address for the standby IP address, so I just changed the mask on the fw as previously mentioned. The only issue that may arise is if you were trying to connect to a site that was using IP addresses within the extended subnet range, but the chances of this occurring are very slim and you could also configure host routes to get around this, the only site you couln't connect to would be the one allocated to the standby IP.

DfyAnt Sun, 08/19/2007 - 16:09

When configuring Active/Standby, both interfaces must have an IP address within the same subnet.

fbroussey Sun, 08/19/2007 - 22:43

Thanks for your answer RUSS, i will try this solution but i 've read that one need a standby ip address on the same subnet on each interface, too...

Just a question, how can the active FW reach this second IP address if it is not on the same subnet and not routed??? So, what is the difference between given an ip address not reachable and no ip address ?...


russ Mon, 08/20/2007 - 05:23

Not sure what you mean by second IP address not being on the same subnet as the active FW?

If you change the outside mask on the active FW to and allocate the standby IP within this range then both the active and standby addresses will be on the same subnet. The outside IP address of the active FW will be configured within the address range allocated by the ISP, the standby IP will be an address allocated outside the range given by the ISP, but as I said previously this should not matter.


This Discussion