ASA Failover

Unanswered Question
Aug 27th, 2009

When configuring ASA's in A/S should you be able to connect to the ASA in standby mode?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
srue Thu, 08/27/2009 - 09:10

my experience, it depends on how you have authentication and routing configured on the primary. if dynamic routing is enabled and you're relying on an authentication server, it's possible the standby unit doesn't have a route to the auth server. to accomodate this, put a static route in the primary just for the auth server...or have a LOCAL auth group as a fallback auth method when the auth server times out.

also, if yo'ure using an auth server (eg radius/tacacs), make sure you have the standby IP in there as well as the primary.

Only through console. I have this setup and I cannot access the standby box unless I use console.

Box boxes are configured exactly the same, so you only have 1 IP address.

On the old PIXes you were able to connect to both the standby and active boxes because each one had a different IP.

You can however issue failover commands to the standby box. So you can restart the standby box or make it active, but as far as I know that is all you can do.

srue Fri, 08/28/2009 - 05:35

what do you mean you only have 1 IP? did you not configure the standby addresses?

This is how my failover is configured: failover

failover lan unit primary

failover lan interface LANFAIL GigabitEthernet0/3

failover polltime unit 1 holdtime 3

failover key *****

failover link LANFAIL GigabitEthernet0/3

failover interface ip LANFAIL standby

I do have the standby address configured for the failover link but I do not have a standby address on any other interface. I never really tried connecting to the failover IP address, I dont have that routed through my regular network.

Are you saying I should have a stanby IP address on my other interfaces aswell? I know the PIXs are setup that way.


campbech1 Mon, 08/31/2009 - 09:18

Yes, just make sure the standby addresses are setup. I connect to our standby and perform upgrades all the time without any issues.


This Discussion