Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

ASA Standby ip necessary for Failover ?

Hi,

I've a question concerning failover. My problem is that my customer has only 2 adresses for the outside interface (with a 255.255.255.252 mask). So we cannot configure a standby ip for this interface as the second ip is for the provider router. Is it possible to configure failover without a standby ip for the outside interface AND what are the impact of such a configuration? What could happenned ?

Should i deactivate the monitoring of this interface ?

Thanks a lot for your help.

Regards

7 REPLIES
Bronze

Re: ASA Standby ip necessary for Failover ?

I think you can use Active/Standby failover in your scenario. Following link may help you

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

New Member

Re: ASA Standby ip necessary for Failover ?

Use a 255.255.255.248 mask for the outside interface instead. This will allow you to allocate a standby IP address outside the range of the IP addresses allocated by the ISP. The ISP doesn't care what mask you give to the FWs, they will still use a 255.255.255.252 mask for their router. This should work because the standby IP is only used for sending/receiving standby hello packets between itself and the primary fw. Although the fw is using a 255.255.255.248 mask, you'll still only be able to use the 2 addresses provided by the ISP for Internet connectivity.

New Member

Re: ASA Standby ip necessary for Failover ?

Have you done this b4?

New Member

Re: ASA Standby ip necessary for Failover ?

Yes, I had a customer that had used up all of their available public IP addresses and it is also a waste to allocate a useable public IP address for the standby IP address, so I just changed the mask on the fw as previously mentioned. The only issue that may arise is if you were trying to connect to a site that was using IP addresses within the extended subnet range, but the chances of this occurring are very slim and you could also configure host routes to get around this, the only site you couln't connect to would be the one allocated to the standby IP.

New Member

Re: ASA Standby ip necessary for Failover ?

When configuring Active/Standby, both interfaces must have an IP address within the same subnet.

New Member

Re: ASA Standby ip necessary for Failover ?

Thanks for your answer RUSS, i will try this solution but i 've read that one need a standby ip address on the same subnet on each interface, too...

Just a question, how can the active FW reach this second IP address if it is not on the same subnet and not routed??? So, what is the difference between given an ip address not reachable and no ip address ?...

Thanks

New Member

Re: ASA Standby ip necessary for Failover ?

Not sure what you mean by second IP address not being on the same subnet as the active FW?

If you change the outside mask on the active FW to 255.255.255.248 and allocate the standby IP within this range then both the active and standby addresses will be on the same subnet. The outside IP address of the active FW will be configured within the address range allocated by the ISP, the standby IP will be an address allocated outside the range given by the ISP, but as I said previously this should not matter.

212
Views
5
Helpful
7
Replies
CreatePlease to create content