Couple questions. About to implement this scenario with two ASA5520s. I plan to have these two connected to two 4506s running as core switches. My question is do the ASAs need a dedicated link to each other for their communication or can they communicate active/standby info with each other through their links to the dual 4506s? The 4506s will be running EIGRP with default routes to the ASAs. The 4 devices will be connected with a /29 subnet. Please see the attachment. The ASAs do not have sub interfaces. They are connected to the 4506s on the same vlan, vlan 2. Will i need a direct link between the two ASAs? Thanks. I just want to make sure i understand this right.
This not secondary address but, standby address.
The rolls are primary and secondary but the states are active and standby.
Which ever unit is active it will assume the active mac in layer 2 and the active IP for layer 3. This active mac and active IP is always the primary unit's except the failover interface. These will continue to use their own IP and mac.
When we failover we always send gratuitous arp so, the adjacent devices can update the arp and mac-address table.
So, even for the outside interface you should have a standby IP otherwise monitoring interfaces will not be possible. Failover will still work.
Your existing IP config will need to be updated to include standby IP addresses for the pair. In an active/standby scenario, the active ASA will manage the primary interface IPs and will use the failover link for replication and keepalives. In a failure scenario, the secondary ASA will take over control of the primary interface IPs. This will allow you to point your default route to the same IP irrespective of what ASA is active at that time. Below is a sample failover config.
ip address 22.214.171.124 255.255.255.0 standby 126.96.36.199
ip address 10.10.10.11 255.255.255.0 standby 10.10.10.12
description LAN/STATE Failover Interface
failover lan unit primary
failover lan interface Failover GigabitEthernet0/2
failover key *****
failover link Failover GigabitEthernet0/2
failover interface ip Failover 10.1.1.1 255.255.255.252 standby 10.1.1.2