Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1072
Views
5
Helpful
7
Replies

ASA Standby ip necessary for Failover ?

fbroussey
Level 1
Level 1

‎08-07-2007 11:36 PM - edited ‎03-11-2019 03:55 AM

Hi,

I've a question concerning failover. My problem is that my customer has only 2 adresses for the outside interface (with a 255.255.255.252 mask). So we cannot configure a standby ip for this interface as the second ip is for the provider router. Is it possible to configure failover without a standby ip for the outside interface AND what are the impact of such a configuration? What could happenned ?

Should i deactivate the monitoring of this interface ?

Thanks a lot for your help.

Regards

Labels:
0 Helpful
7 Replies 7

tstanik
Level 5
Level 5

‎08-14-2007 10:17 AM

I think you can use Active/Standby failover in your scenario. Following link may help you

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

0 Helpful

russ
Level 1
Level 1

‎08-19-2007 02:00 PM

Use a 255.255.255.248 mask for the outside interface instead. This will allow you to allocate a standby IP address outside the range of the IP addresses allocated by the ISP. The ISP doesn't care what mask you give to the FWs, they will still use a 255.255.255.252 mask for their router. This should work because the standby IP is only used for sending/receiving standby hello packets between itself and the primary fw. Although the fw is using a 255.255.255.248 mask, you'll still only be able to use the 2 addresses provided by the ISP for Internet connectivity.

0 Helpful

froggy3132000
Level 3
Level 3
In response to russ

‎08-19-2007 02:05 PM

Have you done this b4?

0 Helpful

russ
Level 1
Level 1
In response to froggy3132000

‎08-19-2007 02:17 PM

Yes, I had a customer that had used up all of their available public IP addresses and it is also a waste to allocate a useable public IP address for the standby IP address, so I just changed the mask on the fw as previously mentioned. The only issue that may arise is if you were trying to connect to a site that was using IP addresses within the extended subnet range, but the chances of this occurring are very slim and you could also configure host routes to get around this, the only site you couln't connect to would be the one allocated to the standby IP.

0 Helpful

DfyAnt
Level 1
Level 1

‎08-19-2007 04:09 PM

When configuring Active/Standby, both interfaces must have an IP address within the same subnet.

0 Helpful

fbroussey
Level 1
Level 1
In response to DfyAnt

‎08-19-2007 10:43 PM

Thanks for your answer RUSS, i will try this solution but i 've read that one need a standby ip address on the same subnet on each interface, too...

Just a question, how can the active FW reach this second IP address if it is not on the same subnet and not routed??? So, what is the difference between given an ip address not reachable and no ip address ?...

Thanks

0 Helpful

russ
Level 1
Level 1
In response to fbroussey

‎08-20-2007 05:23 AM

Not sure what you mean by second IP address not being on the same subnet as the active FW?

If you change the outside mask on the active FW to 255.255.255.248 and allocate the standby IP within this range then both the active and standby addresses will be on the same subnet. The outside IP address of the active FW will be configured within the address range allocated by the ISP, the standby IP will be an address allocated outside the range given by the ISP, but as I said previously this should not matter.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card