Its true that in an ASA Failover pair only the Primary IP address is used for connections going through the ASA.
I would suspect though that the secondary/standby IP address is needed for the interface health monitoring. Both of the units send Hello -messages on all interfaces participating in the Failover (depends on configurations and interface types)
With your IP address for example Primary Unit sends Hello -messages with "inside" IP addres of 192.168.1.1 to Secondary Units IP address 192.168.1.2.
By default I think all physical interfaces are members Failover monitoring but if you configure trunk interfaces you will have to include those sub interfaces in the failover with the command "monitor-interface "
To your second question I ain't so sure. To my understanding you are not "forced" to configure a standby IP address to the secondary unit. Personally I have never been in a situation where I havent had enough IP addresses for the Secondary unit also.
I really can't find any doc exposing this kind of issue. (only 1 IP address possible for outside connections)
So i hope maybe someone else have a solution for that...
Regarding the FAILOVERLINK can you confirm it is possible to plug a RJ45 directly from ASA1(FAILOVERLINK) to ASA2(FAILOVERLINK) without using any switch ? (i don't see why it couldn't work but i prefer asking before ?
You can use a Ethernet cable to connect the ASAs directly.
This is pretty common when the ASAs are located in the same physical location.
I've also seen people use switches in between and sometimes this has also been done on the same physical link where the customer data interfaces are.
I prefer keeping Failover link totally separate from rest of the network if possible.
Regarding the Outside IP address issue I suggest you wait for an answer from someone else to confirm this. As I said, I have always had a /29 network to use in Failover pairs outside and have never even thought about the situation you mentioned
You are correct that if you do not configure an IP address for the outside interface of the second ASA that the ASAs will not be able to monitor the status of the outside interface. So if there were to be some problem with the outside interface of ASA 1 then there would not be a failover to ASA 2. If you are willing to take that risk then you do not need an IP for the second outside interface.
I have implemented failover on 5510 with just a cable between interfaces (no switch) and it works.
I don't like "no monitor" on the outside interface. If I fail over to a device I want to know for certain that it's ready and able to take traffic. If the outside interface is not responding for whatever reason, that's cause for concern and needs to be remedied.
Another advantage of having an IP address on the standby unit's interfaces (inside and outside and other) is to be able to log into it directly. You seldom have to but when you do, it nice to be able to without trekking to the data center and consoling in. (Unless of course your DC has console servers for all your devices - in which case, good for you! unless... the console server itself is on the inside network, unreachability of which being the cause for you wanting to log into the ASA from the outside....)
And, yes, a straight RJ-45 ASA-ASA is fine for the failover link. The interfaces are MDI-X so no worries about crossover cable etc.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :