Changing the Fail-over interface IP address on the ASA Active/Standby Fail-over

Document

Tue, 08/26/2014 - 23:19
Apr 15th, 2014
User Badges:
  • Cisco Employee,


Table of Contents 

 

Introduction

It might be required that due to IP address shortage or IP address overlap in the Internal Network , we might need to change the Fail-over interface IP addresses.

Example

For ex:- We see this error on the ASA device while trying to configure the ASA device and the Fail-over IP are overlapping.

WARNING: 192.168.0.0-192.168.255.255 overlaps with failover interface address. The failover units may become active

This is the Fail-over configuration causing this error:-

failover
failover lan unit primary
failover lan interface FAIL GigabitEthernet0/5
failover link STATE GigabitEthernet0/4
failover interface ip FAIL 192.168.201.1 255.255.255.252 standby 192.168.201.2
failover interface ip STATE 192.168.202.1 255.255.255.252 standby 192.168.202.2

To change the IP address on the Fail-over interface , we need to follow these steps:-

1) Disable the Fail-over in the Primary unit:-

no failover

2) Fail-over status on the Secondary Unit will go to:-

Failover Off (pseudo-Standby)
Failover unit Secondary

3) Change the IP address on both the ASA units separately. It will be the same command on both the units:-

failover interface ip FAIL 172.16.2.3 255.255.255.252 standby 172.16.2.4
failover interface ip STATE 172.16.4.5 255.255.255.252 standby 172.16.4.6

4) Once , you configure the IP address information , re-enable the fail-over first on the Primary unit and then on the Secondary Unit.

5) Fail-over will come up fine with the changed IP address on the Fail-over interface.

If you have a switch connected between the ASA Units for the Fail-over interfaces , I would suggest clearing the ARP entries on the switch.

Loading.
Navneet Narang Tue, 04/15/2014 - 21:57
User Badges:

Hi, I have some doubts.

1. Is it possible to assign 4 IPs of the same subnet to the Failover & Stateful Interface ?

"failover interface ip FAIL 192.168.202.3 255.255.255.248 standby 192.168.202.4

failover interface ip STATE 192.168.202.1 255.255.255.248 standby 192.168.202.2"

Here, the subnet used is 192.168.202.0 / 29 and all IP fall under this.

 

2. It is possible to use the same Physical Interface as Failover Link Interface and Stateful Link Interface, but is it feasible to give the same physical interface (in the above example its interface g0/5) so many IPs ?

Vibhor Amrodia Tue, 04/15/2014 - 22:09
User Badges:
  • Cisco Employee,

Hi Navneet,

 

Thank you for pointing out the Typo errors that i made on the document. I have corrected the same.

Thanks and Regards,

Vibhor Amrodia

Actions

This Document

Related Content