Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2731
Views
0
Helpful
4
Replies

Adding sub-interfaces to a active/standby config

Go to solution
smetieh001
Level 1
Level 1

‎10-07-2013 09:04 AM - edited ‎03-11-2019 07:48 PM

Hello Experts,

I have a question about adding 2 new sub-interfaces to my firewall on active/standby config.

If i add a new sub-interface to an active firewall with existing sub-interface, do i need to add thesame sub-interface config to the standby also?

I look forward to your response.

i.e on active firewall

interface GigabitEthernet0/1.120

vlan 120

nameif Test

security-level 100

ip address 192.168.0.1 255.255.0.0 

Do i need to do the below on standby also

interface GigabitEthernet0/1.120

vlan 120

nameif Test

security-level 100

ip address 192.168.0.1 255.255.0.0 

Thanks

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-07-2013 09:08 AM

Hi,

In a Failover pair of ASAs you only add the interface configurations in the Active unit.

Note also in your above configuration example that you have NOT configured any "standby" IP address which defines the IP address that the Standby unit uses.

It should be

interface GigabitEthernet0/1.120

vlan 120

nameif Test

security-level 100

ip address 192.168.0.1 255.255.0.0 standby 192.168.0.x

Or something to that direction. The configurations are replicated from Active to Standby device so no need to configure interface on the Standby unit separately.

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to smetieh001

‎10-07-2013 10:12 AM

Hi,

Well to my understanding the "standby" IP address is mainly used for the communication between the devices themselves to monitor the state of the devices and interfaces in the Failover.

It doesnt actually participate in passing traffic as the first IP address in the configuration is always used on the Active device, not the "standby".

I don't see any reason not to configure the "standby" IP address on local interfaces (since you usually use private IP addresses that you dont really run out of). I guess some people do leave out the "standby" IP address on the "outside" interface if they dont have enough public IP addresses.

Also to my understanding if you create subinterfaces on an ASA that is part of a Failover pair then you will need a separate command "monitor-interface" to enable monitoring of this logical interface (subinterface). I think by default the ASA doesnt monitor a logical interface otherwise.

The ASA Configuration Guide and Command Reference documents contain a lot of valuable information about the ASA Failover behaviour.

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-07-2013 09:08 AM

Hi,

In a Failover pair of ASAs you only add the interface configurations in the Active unit.

Note also in your above configuration example that you have NOT configured any "standby" IP address which defines the IP address that the Standby unit uses.

It should be

interface GigabitEthernet0/1.120

vlan 120

nameif Test

security-level 100

ip address 192.168.0.1 255.255.0.0 standby 192.168.0.x

Or something to that direction. The configurations are replicated from Active to Standby device so no need to configure interface on the Standby unit separately.

- Jouni

0 Helpful

Go to solution
smetieh001
Level 1
Level 1
In response to Jouni Forss

‎10-07-2013 09:26 AM

Hi Jouni,

Thanks for your response. Do i have to do

ip address 192.168.0.1 255.255.0.0 standby 192.168.0.x

I already have one sub-interafce configured with standby address like that (as above) while other subs are configured without standby? I guess what i am asking is that what is the impact of not using the "standby 192.168.0.x"?

Thanks again.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to smetieh001

‎10-07-2013 10:12 AM

Hi,

Well to my understanding the "standby" IP address is mainly used for the communication between the devices themselves to monitor the state of the devices and interfaces in the Failover.

It doesnt actually participate in passing traffic as the first IP address in the configuration is always used on the Active device, not the "standby".

I don't see any reason not to configure the "standby" IP address on local interfaces (since you usually use private IP addresses that you dont really run out of). I guess some people do leave out the "standby" IP address on the "outside" interface if they dont have enough public IP addresses.

Also to my understanding if you create subinterfaces on an ASA that is part of a Failover pair then you will need a separate command "monitor-interface" to enable monitoring of this logical interface (subinterface). I think by default the ASA doesnt monitor a logical interface otherwise.

The ASA Configuration Guide and Command Reference documents contain a lot of valuable information about the ASA Failover behaviour.

- Jouni

0 Helpful

Go to solution
smetieh001
Level 1
Level 1
In response to Jouni Forss

‎10-07-2013 10:30 AM

Thanks Jouni!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card