ASA 8.0.3: Standby Failover shouldn't respond on outside interface

Unanswered Question

Hello all

I setup an active/passive failover configuration on a pair of ASA5510 used as VPN concentrators and and firewall. As they permet clientless SSL VPN, port 80 and 443 on the outside interface are open (80 just for the redirection to 443).

That works fine on the active unit.

But these ports shouldn't be open on the standby unit!!! If I connect to the standby unit (http://), I get redirected to https://, get the right certificate but then the following error:

"can not load file".

--> I don't think the standby unit should respond on any port on the outside interface.

Or do I understand something wrong here?

--> how to protect the Standby unit?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kagodfrey Thu, 11/22/2007 - 09:49

Hi Rufer

Although I have yet to try it, someone told me only yesterday that, as it should never be used, it really doesn't matter if you give the ASA a "duff" standby address - say for instance something out of an unused private range - rather than assigning it one of your free IP addresses from your outside range.

I was fairly surprised, but he was adamant that this does indeed work, is a good way to preserve your pool of outside addresses, and does not affect the functionality of the ASA with respect to its failover capability. I'd be interested to here if it works for you, or if anyone has used this method.



kagodfrey Fri, 11/23/2007 - 02:56

Hi Rufer

So this has nothing to do with NAT, it is mearly using a random/spurios private address (ie unroutable to from the public sense) on your standby unit. As I mentioned, I've not tried it as I don't have an ASA FO pair handy to play with at this time, but I heard that it was possible to configure on the ASA something like:

ip address standby

Like you, I was always under the impression that the standby IP needed to be in the same subnet so if you have attempted this and it came back with some error message to this affect, then I apologise as I have clearly been misled. I'm dropping the chap a quick email to find out if he was winding me up... :-S

[Edit: Have received response which clarifies what he was saying. Unfortunately the method infact only works on a Pix, the ASA will indeed complain vigorously. I don't know what else to suggest, except maybe perhaps you can request your ISP "deny ip any any" to your ASA standby address on their gateway router to afford you some protection?]




This Discussion