Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Failover on 5550

Hi,

I am new to ASA and like to know that if we can configure the failover on ASA with out standby ip addres.

4 REPLIES
New Member

ASA Failover on 5550

HI Rajeev

i think u must have to configure standby ip. without standby how it's possible. ??

Configuring the failover

failover

failover lan unit primary

failover lan interface FOlink GigabitEthernet0/0

failover polltime unit msec 200 holdtime msec 800

failover polltime interface msec 500 holdtime 5

failover link FOlink GigabitEthernet0/0

failover interface ip FOlink 1.1.1.5 255.255.255.252 standby 1.1.1.6

Gold

ASA Failover on 5550

Hi Hardik is correct (+5)

The Failover interface between the two ASAs must have IP addresses on both sides.

However your other interfaces do not have to have standby IP addresses.

I personally don't think this is a great idea, as IMHO it is important to monitor the standby IP addresses on your second firewall to ensure you won't get any problems if you fail over. However it is a valid configuration.

Where I do tend to to use this is on the Internet facing interface where I don't have a spare public IP address available for the failover unit.

HTH.

Barry Hesk

Intrinsic Network Solutions

New Member

ASA Failover on 5550

HI Barry.

1st you have to configure only primary firewall and it will sync autometically with secoundary firewall.

failover link ip 1.1.1.5 for primary and 1.1.1.6 for secounday firewall. it's  call heartbeat link.

also you have to configure interface

interface GigabitEthernet0/1

speed 1000

duplex full

nameif Outside

security-level 50

ip address 10.10.10.1 255.255.255.248 standby 10.10.10.2

Gold

ASA Failover on 5550

Hi Hardik

Yes, I know.

My comment is that once you have the failover link configured between the two ASAs, and they have performed a sync, you DON'T have to add standby IP addresses to the other interfaces. In your example above, you don't HAVE to assign 10.10.10.2 as a standby address on the outside interface. Failover will work fine without it.

IMHO its a good idea to add standby addresses so you can monitor them, but you don't have to.

Barry Hesk

Intrinsic Network Solutions

146
Views
5
Helpful
4
Replies
CreatePlease login to create content