cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4220
Views
0
Helpful
3
Replies

connect to standby ASA

jwilder
Level 1
Level 1

Hello, i have 2 5520's running active/standby. How do i connect to the standby unit to load a IOS upgrade with zero downtime? I can ping my standby ip address from the primary/active unit but obviously cannot telnet from there. can i only connect to the standby unit with a console cable? I am not able to ping the standby unit IP from my lan.......

Thanks!

3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

jwilder wrote:

Hello, i have 2 5520's running active/standby. How do i connect to the standby unit to load a IOS upgrade with zero downtime? I can ping my standby ip address from the primary/active unit but obviously cannot telnet from there. can i only connect to the standby unit with a console cable? I am not able to ping the standby unit IP from my lan.......

Thanks!

It's probably a routiing issue. When you say you cannot connect from your LAN is your LAN address on a different subnet than the ASA standby address ? If so you need either -

1) routing on the standby ASA to get to remote networks. Note if you had a defaultg static route on the primary the standby should have it too. If you are using dynamic routing on the firewalls the standby only gets the routes when the primary fails.

or

2) use a machine on the same subnet as the ASA standby address.

Jon

we are using dynamic routing, so that would explain the issue. I guess i will have to connect up to the local interface. hopefully that will work.....

can the management interface be configured for this type of connection then?

Thanks,

Jeff

jwilder wrote:

we are using dynamic routing, so that would explain the issue. I guess i will have to connect up to the local interface. hopefully that will work.....

can the management interface be configured for this type of connection then?

Thanks,

Jeff

Jeff

Not sure as i have never done that, i just use the inside interface for these sort of things. You could add a static route to the primary for your subnet which would then get propagated to the standy which would temporarily give you access but you would need to be careful you didn't mess up your routing obviously.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: