Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
453
Views
0
Helpful
5
Replies

ASA Failover

networker99
Level 1
Level 1

‎08-27-2009 08:46 AM - edited ‎03-11-2019 09:10 AM

When configuring ASA's in A/S should you be able to connect to the ASA in standby mode?

Labels:
0 Helpful
5 Replies 5

srue
Level 7
Level 7

‎08-27-2009 09:10 AM

my experience, it depends...it depends on how you have authentication and routing configured on the primary. if dynamic routing is enabled and you're relying on an authentication server, it's possible the standby unit doesn't have a route to the auth server. to accomodate this, put a static route in the primary just for the auth server...or have a LOCAL auth group as a fallback auth method when the auth server times out.

also, if yo'ure using an auth server (eg radius/tacacs), make sure you have the standby IP in there as well as the primary.

0 Helpful

daniel.diaz
Level 1
Level 1

‎08-27-2009 03:32 PM

Only through console. I have this setup and I cannot access the standby box unless I use console.

Box boxes are configured exactly the same, so you only have 1 IP address.

On the old PIXes you were able to connect to both the standby and active boxes because each one had a different IP.

You can however issue failover commands to the standby box. So you can restart the standby box or make it active, but as far as I know that is all you can do.

0 Helpful

srue
Level 7
Level 7
In response to daniel.diaz

‎08-28-2009 05:35 AM

what do you mean you only have 1 IP? did you not configure the standby addresses?

0 Helpful

daniel.diaz
Level 1
Level 1
In response to srue

‎08-31-2009 09:37 AM

This is how my failover is configured: failover

failover lan unit primary

failover lan interface LANFAIL GigabitEthernet0/3

failover polltime unit 1 holdtime 3

failover key *****

failover link LANFAIL GigabitEthernet0/3

failover interface ip LANFAIL 192.168.101.1 255.255.255.0 standby 192.168.101.2

I do have the standby address configured for the failover link but I do not have a standby address on any other interface. I never really tried connecting to the failover IP address, I dont have that routed through my regular network.

Are you saying I should have a stanby IP address on my other interfaces aswell? I know the PIXs are setup that way.

Thanks

0 Helpful

campbech1
Level 1
Level 1

‎08-31-2009 09:18 AM

Yes, just make sure the standby addresses are setup. I connect to our standby and perform upgrades all the time without any issues.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card