topic The standby address for the in Network Security

Firewall Failover without standby address

adiazcastro19 — Tue, 12 Mar 2019 04:50:12 GMT

Hello,

We have two ASA5525 in mode failover. Only one them has IP address configuration. For example:

!
interface GigabitEthernet0/0
description outside
nameif outside
security-level 0
ip address 71.210.56.231 255.255.255.252
!
interface GigabitEthernet0/1
description DMZ_Servicios
nameif DMZ_Servicios
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/2
description DMZ_IPSEC
nameif DMZ_IPSEC
security-level 40
ip address 10.110.61.225 255.255.255.240
!

ASA# sh running-config | i failover
failover
failover lan unit primary
failover lan interface failoverlan GigabitEthernet0/7
failover key *****
failover link failoverlan GigabitEthernet0/7
failover interface ip failoverlan 1.1.1.1 255.255.255.252 standby 1.1.1.2
!

ASA# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: failoverlan GigabitEthernet0/7 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 216 maximum
Version: Ours 9.1(2), Mate 9.1(2)
Last Failover at: 08:10:17 UTC Sep 2 2014
This host: Primary - Active
Active time: 2348911 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.1(2)) status (Up Sys)
Interface outside (71.210.56.231): Normal (Not-Monitored)
Interface DMZ_Servicios (192.168.1.1): Normal (Waiting)
Interface DMZ_IPSEC (10.110.61.225): Normal (Waiting)
Interface inside (10.115.70.18): Normal (Not-Monitored)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.1(2)) status (Up Sys)
Interface outside (0.0.0.0): Normal (Not-Monitored)
Interface DMZ_Servicios (0.0.0.0): Unknown (Waiting)
Interface DMZ_IPSEC (0.0.0.0): Unknown (Waiting)
Interface inside (0.0.0.0): Normal (Not-Monitored)
!

If we put the secondary address in the interface, the failover works fine when we put in mode shutdown the interface (IPSEC or Servicio), but with this configuration, the secondary FW only works when the primary FW is down.
Although we put in mode monitor the interfaces (Servicios and IPSEC), the secondary FW doesn´t work if we put in mode shutdown the "Ipsec or Servicios" interface.
We want to know if this configuration works fine with Failover, or it is necesary (mandatory) put the secondary address in the interfaces.

Thanks

By default all active

Marvin Rhoads — Mon, 29 Sep 2014 20:33:56 GMT

By default all active interfaces on both units will be monitored for health and making a determination of whether a unit is ready to assume active role. Only if you do not want a given interface to be included would you then use "no monitor-interface {if_name}" (Reference)

If there is no standby address on a given interface, it can still be monitored for failover although you won't have quite the degree of assurance that is is really completely ready as the Active unit cannot affirmatively reach the standby IP address and instead relies on the Standby unit to tell it (via the failover link) that the interface is line up / protocol up. That's why you may see the status of "unknown (waiting)" on those interfaces on the Standby Ready unit.

Hello Marvin.I understand the

adiazcastro19 — Tue, 30 Sep 2014 20:11:19 GMT

Hello Marvin.

I understand the state (waiting) of the interfaces. But with this configuration (without secondary address in no interface), when I unplug the cable (DMZ_Servicios interface) for example , and we have the failover link up/up, I understand that the failover process should work and the standby Firewall should convert in active.
But that process don't happened. My doubt is if the secondary address in the interfaces is necessary to work correctly. I don't find no documents in Cisco web , where explain that for the failover process work correctly is mandatory the secondary address in the interfaces.

Thanks for your time.

We are running active/standby

campbech1 — Wed, 01 Oct 2014 04:20:11 GMT

We are running active/standby pairs in a few of our hospitals and have this same configuration where we are supporting regular IP traffic, IPSEC, and client VPN tunnels.

I would suggest putting an unused IP address on each of the standby interfaces and allowing the active firewall to monitor each interface for connectivity issues.

With this configuration I have failed over the firewalls during the day many times without dropping an ICMP ping or even a VPN connection.

Ok then. I'll write the

adiazcastro19 — Wed, 01 Oct 2014 18:44:10 GMT

Ok then. I'll write the secondary address in the interfaces, but one question more.

I understand that the mode (active/active in status Failover) that appear in the output of "show version or show activation-key" commands, It isn't my problem.
I want to be sure before to configure the secondary address. Is there any command or procedure to change this mode?

ASA(config)# sh activation-key
Serial Number: xxxxxx
Running Permanent Activation Key: 0x9xxx 0xaxxx 0xxxxx 0xxxxx 0xxxxxx

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
....

This platform has an ASA5525 VPN Premium license.

Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
......

Thanks

That is strictly the

campbech1 — Wed, 01 Oct 2014 18:47:01 GMT

That is strictly the licensing. You're configured for active/standby right now so adding the standby addresses won't harm anything.

HTH

Hi adiazcastro19, It is not

rizwanr74 — Wed, 01 Oct 2014 18:53:34 GMT

Hi adiazcastro19,

It is not mandatory that you have a secondary address for standby ASA, however it is required for management purpose only, such as OS upgrade and failover primary to standby and vice verse.

When it is failed-over to standby ASA, the IP addresses from primary ASA will be assigned to standby unit.

Hope that answers your question.

Thanks

Rizwan Rafeek

The standby address for the

Marius Gunnerud — Thu, 02 Oct 2014 09:14:54 GMT

The standby address for the interface IP is not mandatory for the failover pair to be healthy, but it is required if the interface configuration is to be able to take over the virtual IP and MAC to function correctly.

If you have the same IP configured on both ASAs you will run into duplicate IP issues.

Please remember to select a correct answer and rate helpful posts