Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Active/Standby Standby IP Verification

I wanted to verify that a configuration I am working on will do what I am expecting. I have 2-5525x's setup in an active/standby config, I have a stateful link and lan failover link, everything appear to work fine and I am now moving on to programming everything else. On the inside I will have 2 core switch running HSRP, these are already existing and working fine, when I configure a standby address on the inside interface of the ASA will I simply create another static route to that IP on the core to route traffic to that device in the even of a failure? If this is the case I am assuming I will do the same on the outside interface if I can get the ISP to provide another physical layer 2 interface for me to connect directly to my devices, then I will create another default route to the next hop address in which I already route to. If I missed something please let me know.

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

On the inside I will have 2

On the inside I will have 2 core switch running HSRP, these are already existing and working fine, when I configure a standby address on the inside interface of the ASA will I simply create another static route to that IP on the core to route traffic to that device in the even of a failure?

No, you will not create another route which points to the standby address.  The standby address is just significant for the connectivity between the ASAs.  In the case of a failover, the standby ASA will assume the IP of the active ASA as well as the MAC address, and the ASA which failed, when it comes back online will take the standby IP and will remain the standby ASA until you manually failover or a failover situation occurs on the new primary.

If this is the case I am assuming I will do the same on the outside interface if I can get the ISP to provide another physical layer 2 interface for me to connect directly to my devices, then I will create another default route to the next hop address in which I already route to.

I am not entirely sure I understand what you are asking here.  As of right now you cannot have two active default routes on a single ASA.  What you would need though is another connection to the standby ASA and a public IP that can be used as the standby IP, and the outside interface of the active and standby ASAs need to be on the same Layer2 network.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
3 REPLIES
VIP Green

On the inside I will have 2

On the inside I will have 2 core switch running HSRP, these are already existing and working fine, when I configure a standby address on the inside interface of the ASA will I simply create another static route to that IP on the core to route traffic to that device in the even of a failure?

No, you will not create another route which points to the standby address.  The standby address is just significant for the connectivity between the ASAs.  In the case of a failover, the standby ASA will assume the IP of the active ASA as well as the MAC address, and the ASA which failed, when it comes back online will take the standby IP and will remain the standby ASA until you manually failover or a failover situation occurs on the new primary.

If this is the case I am assuming I will do the same on the outside interface if I can get the ISP to provide another physical layer 2 interface for me to connect directly to my devices, then I will create another default route to the next hop address in which I already route to.

I am not entirely sure I understand what you are asking here.  As of right now you cannot have two active default routes on a single ASA.  What you would need though is another connection to the standby ASA and a public IP that can be used as the standby IP, and the outside interface of the active and standby ASAs need to be on the same Layer2 network.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

Thanks for the reply and

Thanks for the reply and verification.

On the ISP side I will be doing exactly what you said.

VIP Green

Good stuff!  :)Thanks for the

Good stuff!  :)

Thanks for the rating

-- Please remember to rate and select a correct answer
85
Views
0
Helpful
3
Replies