- Purple, 4500 points or more
I have a 5550 that I'm going to be setting up failover on when we get our second one soon. I have a couple of questions:
1.) The current 5550 that we have has a public presence. Do I need to configure the standby with a physical public address also?
2.) I would also think that if I had to do the above, I would also need to configure for internal.
The configs that I've found haven't been clear on how to configure active/standby on these units. I've got the following:
Current 5550 (primary):
eth0: ip 18.104.22.168 255.255.255.252
eth1: ip 192.168.1.1
To configure the above existing firewall in failover, I've been finding configs that are applying the failover and state interfaces to interfaces that don't look like they're being addressed. In reality, does the standby need an ip address that faces the lan, or do the only addresses that need to be configured are the ones that are configured to look for failover?
eth0: connected to public switch (no ip)
eth1: connected to failover (10.0.0.2/30)
eth2: connected to state (10.0.0.6/30)
eth3: connected to lan (no ip)
The above would be communicated from the primary with:
eth0: public address
eth1: connected to failover (10.0.0.1/30)
eth2: connected to state (10.0.0.5/30)
eth3: internal lan (192.168.1.1)
Am I on the right track?
I did actually use a second public address for the standby ASA, but as it was mentioned before I don't think you don't need to. You can monitor whichever interfaces you want.
i.e., the assigned internal address is the standby's own address until it goes primary and then that address is overwritten for the moment with the primary's address.
This is true, after it goes primary, I'm pretty sure any reference to it being the original secondary is gone. It is your new primary.
Also I just wanted to mention I'm not doing stateful failover. I don't think it makes too much of a difference for the purpose of this thread but I figured I should say so. I didn't catch that part in the beginning.