Solved: ASA Active/Standby mgt interface config

Sharkey13 · ‎09-25-2008

Hello. I have just implemented an ASA Active/Standby (A/S) failover configuration, and the config has successfully transferred to the standby unit.

However, I am not sure "best practice" on how to handle the management interface configuration.

Issue: Once the config transferred to the standby unit, the mgt interface now has the same IP address as the active unit mgt interface. What is the best method for maintaining separate IP addresses on these interfaces for remote manangement purposes without compromising the configs on each ASA (and ending the annoying console messages on the active unit too).

Thanks in advance. Patrick

robertson.michael · ‎09-25-2008

Hi Patrick,

The way you do this is to configure the standby IP addresses for all of your interfaces on the Active unit. This is done with the 'standby' keyword:

ASA(config-if)# ip address 192.168.0.1 255.255.255.0 standby 192.168.0.2

The address used by the Standby interface must be in the same subnet as the Active address and cannot be in use anywhere else on your network.

Once you configure this on the Active unit, the configuration will be replicated down to the Standby unit so the changes will take affect (or you can use the 'write standby' command on the Active unit).

After the changes take affect, you can issue the 'show failover' command to see that the Active and Standby interfaces have different IP addresses.

Hope that helps.

-Mike

View solution in original post

robertson.michael · ‎09-25-2008

Hi Patrick,

The way you do this is to configure the standby IP addresses for all of your interfaces on the Active unit. This is done with the 'standby' keyword:

ASA(config-if)# ip address 192.168.0.1 255.255.255.0 standby 192.168.0.2

The address used by the Standby interface must be in the same subnet as the Active address and cannot be in use anywhere else on your network.

Once you configure this on the Active unit, the configuration will be replicated down to the Standby unit so the changes will take affect (or you can use the 'write standby' command on the Active unit).

After the changes take affect, you can issue the 'show failover' command to see that the Active and Standby interfaces have different IP addresses.

Hope that helps.

-Mike

Sharkey13 · ‎09-25-2008

Mike - thank you for a clear, concise answer.

Allow me a ask a follow up question.

Do I also need to do this for the OUTSIDE and INSIDE interfaces on the primary (active) unit? It would seem that I do not, as per Cisco documentation from "Active/Standby Failover Overview" states:

"The unit that becomes active assumes the IP addresses and MAC addresses of the failed unit and begins passing traffic. The unit that is now in standby state takes over the the standy IP addresses and MAC addresses."

I cannot think of a reason I would want to configure standby addresses on the OUTSIDE and INSIDE interfaces on the active unit, if they are indeed assumed at failover. Am I missing something?

Thanks in advance, Patrick

robertson.michael · ‎09-25-2008

Hi Patrick,

It is technically a misconfiguration if you do not configure standby IP addresses on all of your interfaces.

While failover will still function, the interfaces on the Standby unit will be unreachable unless you specify Standby IP addresses for them. This includes both management traffic (i.e. SSH) and the interface "hello" packets that are sent by the Active unit to determine if an interface is still functioning.

So to answer your question directly: yes, you should configure the Standby IP addresses for all of the interfaces in your configuration.

Hope that helps.

-Mike

Sharkey13 · ‎09-25-2008

Mike - very useful information.

Thanks again.

Patrick