no standby ip address on interfaces of a failover asa

Unanswered Question
Sep 19th, 2008

i found an implementation of asa with failover which doesnt have a standby ip addareses configured on the interfaces. the vendor says the failover is tested and working.


QUESTION: what is the impact of this kind of implementation?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Marwan ALshawi Sat, 09/20/2008 - 01:29

ok in asa failover

the interface will have two ip address active and standby

the main/active device will use the active ip and secondary will use the standby

and the ip used to keep the communication between devices and check when the active gos down and syncronize the config from the active device to the secondary standby device

so if there is no ip on the standby device how they will communicate?


dose the articl u read put a descryption for that and why they done like that??

robertson.michael Thu, 09/25/2008 - 08:43

Hi Celso,


While the vendor is technically correct (failover will still work even without the standby IP addresses configured--that is along as the failover interface has both Active and Standby IP addresses), it is technically a misconfiguration to not specify standby IP addresses.


To answer your question specifically: the impact is that without standby IP addresses, the Standby unit will be completely unaccessible. This includes both management traffic (i.e. SSH) and the "hello" packets that Marwan mentioned (which are sent by the Active unit to test the functionality of its mate's interface).


I would recommend changing this specific implementation during your next maintenance window.


Hope that helps.


-Mike

tholmes@cistek-... Fri, 03/06/2009 - 11:14

Hello



I've run out of legal IP addresses on the Outside interface, I need one more for static mapping, can I use the legal IP address that is currently assigned to the standby ASA?


As this address is never actually 'in service', can I use this for a static translation, leaving the standby blank. during a failover, the Standy ASA assumes the Active IP.


Regards Tony

JamesLuther Fri, 03/06/2009 - 11:21

Hi Tony,


No you can't. Although no traffic is being routed through this standby address it is still a valid address that you can talk to the standby unit with.


Therefore you will get an IP conflict on your network if you configure another device to use this IP.



Regards

tholmes@cistek-... Fri, 03/06/2009 - 11:26

wow, thanks for the speedy response!


I wasplanning on removing the standby IP address from the Primary ASA and then suing that for mapping


Does this sound ok?


Cheers Tony

Actions

This Discussion