Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
446
Views
0
Helpful
3
Replies

ASA 8.0.3: Standby Failover shouldn't respond on outside interface

mathias.rufer
Level 1
Level 1

‎11-22-2007 08:20 AM - edited ‎03-11-2019 04:34 AM

Hello all

I setup an active/passive failover configuration on a pair of ASA5510 used as VPN concentrators and and firewall. As they permet clientless SSL VPN, port 80 and 443 on the outside interface are open (80 just for the redirection to 443).

That works fine on the active unit.

But these ports shouldn't be open on the standby unit!!! If I connect to the standby unit (http://), I get redirected to https://, get the right certificate but then the following error:

"can not load file".

--> I don't think the standby unit should respond on any port on the outside interface.

Or do I understand something wrong here?

--> how to protect the Standby unit?

Greetings

Rufer

Labels:
0 Helpful
3 Replies 3

kagodfrey
Level 3
Level 3

‎11-22-2007 09:49 AM

Hi Rufer

Although I have yet to try it, someone told me only yesterday that, as it should never be used, it really doesn't matter if you give the ASA a "duff" standby address - say for instance something out of an unused private range - rather than assigning it one of your free IP addresses from your outside range.

I was fairly surprised, but he was adamant that this does indeed work, is a good way to preserve your pool of outside addresses, and does not affect the functionality of the ASA with respect to its failover capability. I'd be interested to here if it works for you, or if anyone has used this method.

HTH

Kev

0 Helpful

mathias.rufer
Level 1
Level 1
In response to kagodfrey

‎11-22-2007 11:37 PM

Hello Kev

We don't use NAT at all, so I don't see a way to do this. The standby address has to be in the same subnet than the active address. If you have more detailed information, let me know.

Greetings

Rufer

0 Helpful

kagodfrey
Level 3
Level 3
In response to mathias.rufer

‎11-23-2007 02:56 AM

Hi Rufer

So this has nothing to do with NAT, it is mearly using a random/spurios private address (ie unroutable to from the public sense) on your standby unit. As I mentioned, I've not tried it as I don't have an ASA FO pair handy to play with at this time, but I heard that it was possible to configure on the ASA something like:

ip address standby 192.34.56.78

Like you, I was always under the impression that the standby IP needed to be in the same subnet so if you have attempted this and it came back with some error message to this affect, then I apologise as I have clearly been misled. I'm dropping the chap a quick email to find out if he was winding me up... :-S

[Edit: Have received response which clarifies what he was saying. Unfortunately the method infact only works on a Pix, the ASA will indeed complain vigorously. I don't know what else to suggest, except maybe perhaps you can request your ISP "deny ip any any" to your ASA standby address on their gateway router to afford you some protection?]

Thanks

Kev

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card