Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3143
Views
9
Helpful
5
Replies

no standby ip address on interfaces of a failover asa

cfajardo1_2
Level 1
Level 1

‎09-19-2008 11:26 PM - edited ‎03-11-2019 06:47 AM

i found an implementation of asa with failover which doesnt have a standby ip addareses configured on the interfaces. the vendor says the failover is tested and working.

QUESTION: what is the impact of this kind of implementation?

Labels:
0 Helpful
5 Replies 5

Marwan ALshawi
VIP Alumni
VIP Alumni

‎09-20-2008 01:29 AM

ok in asa failover

the interface will have two ip address active and standby

the main/active device will use the active ip and secondary will use the standby

and the ip used to keep the communication between devices and check when the active gos down and syncronize the config from the active device to the secondary standby device

so if there is no ip on the standby device how they will communicate?

dose the articl u read put a descryption for that and why they done like that??

0 Helpful

robertson.michael
Level 3
Level 3

‎09-25-2008 08:43 AM

Hi Celso,

While the vendor is technically correct (failover will still work even without the standby IP addresses configured--that is along as the failover interface has both Active and Standby IP addresses), it is technically a misconfiguration to not specify standby IP addresses.

To answer your question specifically: the impact is that without standby IP addresses, the Standby unit will be completely unaccessible. This includes both management traffic (i.e. SSH) and the "hello" packets that Marwan mentioned (which are sent by the Active unit to test the functionality of its mate's interface).

I would recommend changing this specific implementation during your next maintenance window.

Hope that helps.

-Mike

tholmes
Level 1
Level 1
In response to robertson.michael

‎03-06-2009 11:14 AM

Hello

I've run out of legal IP addresses on the Outside interface, I need one more for static mapping, can I use the legal IP address that is currently assigned to the standby ASA?

As this address is never actually 'in service', can I use this for a static translation, leaving the standby blank. during a failover, the Standy ASA assumes the Active IP.

Regards Tony

0 Helpful

JamesLuther
Level 3
Level 3
In response to tholmes

‎03-06-2009 11:21 AM

Hi Tony,

No you can't. Although no traffic is being routed through this standby address it is still a valid address that you can talk to the standby unit with.

Therefore you will get an IP conflict on your network if you configure another device to use this IP.

Regards

tholmes
Level 1
Level 1
In response to JamesLuther

‎03-06-2009 11:26 AM

wow, thanks for the speedy response!

I wasplanning on removing the standby IP address from the Primary ASA and then suing that for mapping

Does this sound ok?

Cheers Tony

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card