Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

ASA 8.0.3: Standby Failover shouldn't respond on outside interface

Hello all

I setup an active/passive failover configuration on a pair of ASA5510 used as VPN concentrators and and firewall. As they permet clientless SSL VPN, port 80 and 443 on the outside interface are open (80 just for the redirection to 443).

That works fine on the active unit.

But these ports shouldn't be open on the standby unit!!! If I connect to the standby unit (http://), I get redirected to https://, get the right certificate but then the following error:

"can not load file".

--> I don't think the standby unit should respond on any port on the outside interface.

Or do I understand something wrong here?

--> how to protect the Standby unit?

Greetings

Rufer

3 REPLIES
New Member

Re: ASA 8.0.3: Standby Failover shouldn't respond on outside int

Hi Rufer

Although I have yet to try it, someone told me only yesterday that, as it should never be used, it really doesn't matter if you give the ASA a "duff" standby address - say for instance something out of an unused private range - rather than assigning it one of your free IP addresses from your outside range.

I was fairly surprised, but he was adamant that this does indeed work, is a good way to preserve your pool of outside addresses, and does not affect the functionality of the ASA with respect to its failover capability. I'd be interested to here if it works for you, or if anyone has used this method.

HTH

Kev

New Member

Re: ASA 8.0.3: Standby Failover shouldn't respond on outside int

Hello Kev

We don't use NAT at all, so I don't see a way to do this. The standby address has to be in the same subnet than the active address. If you have more detailed information, let me know.

Greetings

Rufer

New Member

Re: ASA 8.0.3: Standby Failover shouldn't respond on outside int

Hi Rufer

So this has nothing to do with NAT, it is mearly using a random/spurios private address (ie unroutable to from the public sense) on your standby unit. As I mentioned, I've not tried it as I don't have an ASA FO pair handy to play with at this time, but I heard that it was possible to configure on the ASA something like:

ip address standby 192.34.56.78

Like you, I was always under the impression that the standby IP needed to be in the same subnet so if you have attempted this and it came back with some error message to this affect, then I apologise as I have clearly been misled. I'm dropping the chap a quick email to find out if he was winding me up... :-S

[Edit: Have received response which clarifies what he was saying. Unfortunately the method infact only works on a Pix, the ASA will indeed complain vigorously. I don't know what else to suggest, except maybe perhaps you can request your ISP "deny ip any any" to your ASA standby address on their gateway router to afford you some protection?]

Thanks

Kev

151
Views
0
Helpful
3
Replies
CreatePlease to create content