Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Changing the Fail-over interface IP address on the ASA Active/Standby Fail-over

     

     

    Introduction

    It might be required that due to IP address shortage or IP address overlap in the Internal Network , we might need to change the Fail-over interface IP addresses.

    Example

    For ex:- We see this error on the ASA device while trying to configure the ASA device and the Fail-over IP are overlapping.

    WARNING: 192.168.0.0-192.168.255.255 overlaps with failover interface address. The failover units may become active

    This is the Fail-over configuration causing this error:-

    failover
    failover lan unit primary
    failover lan interface FAIL GigabitEthernet0/5
    failover link STATE GigabitEthernet0/4
    failover interface ip FAIL 192.168.201.1 255.255.255.252 standby 192.168.201.2
    failover interface ip STATE 192.168.202.1 255.255.255.252 standby 192.168.202.2

    To change the IP address on the Fail-over interface , we need to follow these steps:-

    1) Disable the Fail-over in the Primary unit:-

    no failover

    2) Fail-over status on the Secondary Unit will go to:-

    Failover Off (pseudo-Standby)
    Failover unit Secondary

    3) Change the IP address on both the ASA units separately. It will be the same command on both the units:-

    failover interface ip FAIL 172.16.2.3 255.255.255.252 standby 172.16.2.4
    failover interface ip STATE 172.16.4.5 255.255.255.252 standby 172.16.4.6

    4) Once , you configure the IP address information , re-enable the fail-over first on the Primary unit and then on the Secondary Unit.

    5) Fail-over will come up fine with the changed IP address on the Fail-over interface.

    If you have a switch connected between the ASA Units for the Fail-over interfaces , I would suggest clearing the ARP entries on the switch.

    Comments
    Community Member

    Hi, I have some doubts.

    1. Is it possible to assign 4 IPs of the same subnet to the Failover & Stateful Interface ?

    "failover interface ip FAIL 192.168.202.3 255.255.255.248 standby 192.168.202.4

    failover interface ip STATE 192.168.202.1 255.255.255.248 standby 192.168.202.2"

    Here, the subnet used is 192.168.202.0 / 29 and all IP fall under this.

     

    2. It is possible to use the same Physical Interface as Failover Link Interface and Stateful Link Interface, but is it feasible to give the same physical interface (in the above example its interface g0/5) so many IPs ?

    Cisco Employee

    Hi Navneet,

     

    Thank you for pointing out the Typo errors that i made on the document. I have corrected the same.

    Thanks and Regards,

    Vibhor Amrodia

    Community Member

    smileyyes

    3324
    Views
    8
    Helpful
    3
    Comments