Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
415
Views
0
Helpful
3
Replies

ASA Active/Standby Standby IP Verification

Go to solution
Matthew
Level 1
Level 1

‎09-11-2014 07:00 AM - edited ‎03-11-2019 09:44 PM

I wanted to verify that a configuration I am working on will do what I am expecting. I have 2-5525x's setup in an active/standby config, I have a stateful link and lan failover link, everything appear to work fine and I am now moving on to programming everything else. On the inside I will have 2 core switch running HSRP, these are already existing and working fine, when I configure a standby address on the inside interface of the ASA will I simply create another static route to that IP on the core to route traffic to that device in the even of a failure? If this is the case I am assuming I will do the same on the outside interface if I can get the ISP to provide another physical layer 2 interface for me to connect directly to my devices, then I will create another default route to the next hop address in which I already route to. If I missed something please let me know.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎09-12-2014 01:57 PM

On the inside I will have 2 core switch running HSRP, these are already existing and working fine, when I configure a standby address on the inside interface of the ASA will I simply create another static route to that IP on the core to route traffic to that device in the even of a failure?

No, you will not create another route which points to the standby address.  The standby address is just significant for the connectivity between the ASAs.  In the case of a failover, the standby ASA will assume the IP of the active ASA as well as the MAC address, and the ASA which failed, when it comes back online will take the standby IP and will remain the standby ASA until you manually failover or a failover situation occurs on the new primary.

If this is the case I am assuming I will do the same on the outside interface if I can get the ISP to provide another physical layer 2 interface for me to connect directly to my devices, then I will create another default route to the next hop address in which I already route to.

I am not entirely sure I understand what you are asking here.  As of right now you cannot have two active default routes on a single ASA.  What you would need though is another connection to the standby ASA and a public IP that can be used as the standby IP, and the outside interface of the active and standby ASAs need to be on the same Layer2 network.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marius Gunnerud
VIP
VIP

‎09-12-2014 01:57 PM

On the inside I will have 2 core switch running HSRP, these are already existing and working fine, when I configure a standby address on the inside interface of the ASA will I simply create another static route to that IP on the core to route traffic to that device in the even of a failure?

No, you will not create another route which points to the standby address.  The standby address is just significant for the connectivity between the ASAs.  In the case of a failover, the standby ASA will assume the IP of the active ASA as well as the MAC address, and the ASA which failed, when it comes back online will take the standby IP and will remain the standby ASA until you manually failover or a failover situation occurs on the new primary.

If this is the case I am assuming I will do the same on the outside interface if I can get the ISP to provide another physical layer 2 interface for me to connect directly to my devices, then I will create another default route to the next hop address in which I already route to.

I am not entirely sure I understand what you are asking here.  As of right now you cannot have two active default routes on a single ASA.  What you would need though is another connection to the standby ASA and a public IP that can be used as the standby IP, and the outside interface of the active and standby ASAs need to be on the same Layer2 network.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Matthew
Level 1
Level 1
In response to Marius Gunnerud

‎09-12-2014 02:01 PM

Thanks for the reply and verification.

On the ISP side I will be doing exactly what you said.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Matthew

‎09-12-2014 02:02 PM

Good stuff!  :)

Thanks for the rating

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card