standby ip required?

Unanswered Question
Aug 24th, 2010

I have two routed ASA's that I want to run in active/standby mode.  But I'm short on IP addresses on the outside interface.  Is the standby ip address absolutely required for failover to function properly, or is that only used if that interface is monitored for failover purposes?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Diego Armando C... Tue, 08/24/2010 - 13:44

That's only for monitoring purposes. Just need to know that if the outside link fails you will be completely down since there is not back up IP address.

ippolito Tue, 08/24/2010 - 13:57

Are you sure that the standby unit won't assume the primary ip address?



witsang Tue, 08/24/2010 - 14:08

Hi Mike,

The standby ip address is not a requirement for failover to function properly. When a failover occurs, the standby unit will become the active unit and assume the active ip address.

Diego Armando C... Tue, 08/24/2010 - 14:16

But you will not be monitoring the OUTSIDE so what's going on if the outside fails?

From the standby perspective a monitored interface will hear for hello packets and if the stanby unit doesn't receive a hello packets during x seconds then it will become the active unit. Since you will not monitor the outside (no hello packets)  How is the secondary going to take the Active rol if it doesn't know that the outside of the primery went down?

Diego Armando C... Tue, 08/24/2010 - 14:18

If there is a power failure ther is not gonna be any problem, the seconday will take the active rol.... but what if there is a failure in the outside interface of the primary??

Diego Armando C... Tue, 08/24/2010 - 14:20

The main reason why a failover is triggered is due of.

  • The unit has a hardware failure or a power failure.

  • The unit has a software failure.

  • Too many monitored interfaces fail.

    In your case if the outside interface of the primary fails no failover will occur.

ippolito Tue, 08/24/2010 - 14:25

I was mainly looking to compensate for a complete hardware failure of the primary unit, but your point is well taken that if the outside interface fails then failover to the standby won't occur.

Thanks for the help.



This Discussion