ASA5540 standby ip

kian_hong2000 · ‎08-07-2012

Hi,

I have this 2x ASA5540 firewall and notice the it is configured with a standby ip. The firewall is run in Active/Passive mode.

However, the standby ip of this firewall is not point to the seconday firewall and vice versa for the primary firewall.

ASA5540_Pri

interface GigabitEthernet0/1

nameif dmz_pri

security-level 50

ip address x.x.x.100 255.255.255.248 standby x.x.x.120

1) May i know how is this configuration valid in the first place? I have checked through the configuration.

None of the configuration is related to this ip address.

2) Can we remove this standby ip address on both the firewall and correct to the correct primary and seconadary ip address in both firewall?

3) We tried to use this ip address but cannot be used ? Any idea is it related to the configuration of the standby ip address.

Do note that the ping to this ip address x.x.x.120 is unreachable.

Regards

KH

Jouni Forss · ‎08-07-2012

Hi,

1.) Looking at the network mask used in the interface it seems that the standby IP address is configured wrong. Also, there is not supposed to be any configurations related to the standby IP address. I mean no NAT configurations or access-list statements as its just there for the Failover to work. (To my understanding)

2.) What you should do is configure another IP from the same network range as the primary IP. When you change the standby IP address you naturally only configure it on the active device as the standby device automatically receives the configuration change from the primary device (provided that the actual failover is working properly)

3.) The IP ending in .120 cannot be used as its not from the same network range as .100 (when you are using a mask of /29) When you have a correct IP address from same network configured on the standby ASA you should be able to ping it and also see it on the "show arp" command on the ASA

- Jouni