Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

no standby ip address on interfaces of a failover asa

i found an implementation of asa with failover which doesnt have a standby ip addareses configured on the interfaces. the vendor says the failover is tested and working.

QUESTION: what is the impact of this kind of implementation?

5 REPLIES

Re: no standby ip address on interfaces of a failover asa

ok in asa failover

the interface will have two ip address active and standby

the main/active device will use the active ip and secondary will use the standby

and the ip used to keep the communication between devices and check when the active gos down and syncronize the config from the active device to the secondary standby device

so if there is no ip on the standby device how they will communicate?

dose the articl u read put a descryption for that and why they done like that??

Re: no standby ip address on interfaces of a failover asa

Hi Celso,

While the vendor is technically correct (failover will still work even without the standby IP addresses configured--that is along as the failover interface has both Active and Standby IP addresses), it is technically a misconfiguration to not specify standby IP addresses.

To answer your question specifically: the impact is that without standby IP addresses, the Standby unit will be completely unaccessible. This includes both management traffic (i.e. SSH) and the "hello" packets that Marwan mentioned (which are sent by the Active unit to test the functionality of its mate's interface).

I would recommend changing this specific implementation during your next maintenance window.

Hope that helps.

-Mike

New Member

Re: no standby ip address on interfaces of a failover asa

Hello

I've run out of legal IP addresses on the Outside interface, I need one more for static mapping, can I use the legal IP address that is currently assigned to the standby ASA?

As this address is never actually 'in service', can I use this for a static translation, leaving the standby blank. during a failover, the Standy ASA assumes the Active IP.

Regards Tony

Bronze

Re: no standby ip address on interfaces of a failover asa

Hi Tony,

No you can't. Although no traffic is being routed through this standby address it is still a valid address that you can talk to the standby unit with.

Therefore you will get an IP conflict on your network if you configure another device to use this IP.

Regards

New Member

Re: no standby ip address on interfaces of a failover asa

wow, thanks for the speedy response!

I wasplanning on removing the standby IP address from the Primary ASA and then suing that for mapping

Does this sound ok?

Cheers Tony

1647
Views
9
Helpful
5
Replies
CreatePlease login to create content