Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16862
Views
30
Helpful
9
Replies

ASA Failover - do I really need to configure a standby ip address in each interface?

Go to solution
ajtm
Level 1
Level 1

‎12-18-2011 05:32 PM - edited ‎03-11-2019 03:03 PM

It seems that ASA failover works fine without the standby address. What is the advantage of wasting an IP address?

Regards,

AM

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ajay chauhan
Level 7
Level 7
In response to ajtm

‎12-20-2011 05:05 AM

In that case you can do it without standby also but for management purpose you should have IP on standby also. Thats basically for monitor interface and both exchange hello out of that interface.

For example suppose you have only one public IP so no option to configure standby IP for secondary unit in that monitor interface can be disabled . Note- Not going to part of failover incase of failure.

Thanks

Ajay

View solution in original post

9 Replies 9

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎12-18-2011 06:18 PM

Hello Ajtm,

The standby ip address will be used in order to exchange hello packets between the interfaces of the active unit ( ip address) and the standby unit (ip address).

If the interfaces do not exchange hello packets the state of that interface will be normal (waiting) witch will cause some issues if you are monitoring that interface.

Please rate helpful posts,

Kind regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Julio Carvajal

‎12-18-2011 07:58 PM

AM

I question your assertion that:

ASA failover works fine without the standby address.

If you configure a pair of ASA for failover and use only a single address for the interface of the primary/active ASA then perhaps it works if there is a catastrophic failure of the primary/active ASA and the backup migt take over. But what happens if there is a problem with the interface of the primary/active ASA. How will the backup ASA determine that it needs to take over from the primary if it can not query the primary interface? And how will it query the primary interface unless it has its own address?

HTH

Rick

HTH

Rick

Go to solution
ajtm
Level 1
Level 1
In response to Richard Burts

‎12-20-2011 03:27 AM

Ok. I understand that the standby IP address is used for monitoring the interface. What if I have multiple vlans in one interface? Is it relevant to configure standby addresses in all of them?

Regards,

AM

0 Helpful

Go to solution
ajtm
Level 1
Level 1
In response to ajay chauhan

‎12-20-2011 04:16 AM

I had read the document and found that it is not very clear about this subject.

If I have the following topology:

ASA-MAIN <802.1q> switch <802.1q over LACP > switch <802.1q> ASA-STDBY,

with the routers/gateways connected in the switches.

If one of the physical ports or equipment fails, I don't see what is the point of having multiple standby ip addresses in the vlan's that share the same physical port.

Regards,

Antonio

0 Helpful

Go to solution
ajay chauhan
Level 7
Level 7
In response to ajtm

‎12-20-2011 05:05 AM

In that case you can do it without standby also but for management purpose you should have IP on standby also. Thats basically for monitor interface and both exchange hello out of that interface.

For example suppose you have only one public IP so no option to configure standby IP for secondary unit in that monitor interface can be disabled . Note- Not going to part of failover incase of failure.

Thanks

Ajay

Go to solution
akhasfarooq
Level 1
Level 1
In response to ajay chauhan

‎08-03-2022 11:10 AM

Hi Ajay, 

 

I'm also in a similar situation. Just wanted some clarification on your last sentence in your previous post "Note - Not going to part of failover incase of failure" are you saying if the standby IP is not set and something went wrong with the interface on the primary/active, then this particular interface will not failover to the standby firewall because there is no standby IP? Is'nt the failover link used to sync the connection states between the 2 firewalls? Also, in a situation where the entire primary/active firewall was to go down then I'm assuming the secondary will also takeover for this interface?

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to akhasfarooq

‎08-03-2022 12:43 PM

I will try to elaborate on what has already been said.

The standby IP is used to send hello packets between the active and standby firewalls in the instance that the failover link has failed.  In normal operating hello packets are sent over the failover link, if that link fails and you do not have any standby IPs configured you will end up with a split-brain situation where both firewalls become active.

--
Please remember to select a correct answer and rate helpful posts

Go to solution
akhasfarooq
Level 1
Level 1
In response to Marius Gunnerud

‎08-03-2022 01:25 PM

Thanks Marius! that clarifies it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card