topic Hello Marius,Well, I didn't in Network Security

Firewall Failover without standby address

adiazcastro19 — Tue, 12 Mar 2019 04:50:09 GMT

Hello,

We have two ASA5525 in mode failover. Only one them has IP address configuration. For example:

!
interface GigabitEthernet0/0
description outside
nameif outside
security-level 0
ip address 71.210.56.231 255.255.255.252
!
interface GigabitEthernet0/1
description DMZ_Servicios
nameif DMZ_Servicios
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/2
description DMZ_IPSEC
nameif DMZ_IPSEC
security-level 40
ip address 10.110.61.225 255.255.255.240
!

ASA# sh running-config | i failover
failover
failover lan unit primary
failover lan interface failoverlan GigabitEthernet0/7
failover key *****
failover link failoverlan GigabitEthernet0/7
failover interface ip failoverlan 1.1.1.1 255.255.255.252 standby 1.1.1.2
!

ASA# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: failoverlan GigabitEthernet0/7 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 216 maximum
Version: Ours 9.1(2), Mate 9.1(2)
Last Failover at: 08:10:17 UTC Sep 2 2014
This host: Primary - Active
Active time: 2348911 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.1(2)) status (Up Sys)
Interface outside (71.210.56.231): Normal (Not-Monitored)
Interface DMZ_Servicios (192.168.1.1): Normal (Waiting)
Interface DMZ_IPSEC (10.110.61.225): Normal (Waiting)
Interface inside (10.115.70.18): Normal (Not-Monitored)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5525 hw/sw rev (1.0/9.1(2)) status (Up Sys)
Interface outside (0.0.0.0): Normal (Not-Monitored)
Interface DMZ_Servicios (0.0.0.0): Unknown (Waiting)
Interface DMZ_IPSEC (0.0.0.0): Unknown (Waiting)
Interface inside (0.0.0.0): Normal (Not-Monitored)
!

If we put the secondary address in the interface, the failover works fine when we put in mode shutdown the interface (IPSEC or Servicio), but with this configuration, the secondary FW only works when the primary FW is down.
Although we put in mode monitor the interfaces (Servicios and IPSEC), the secondary FW doesn´t work if we put in mode shutdown the "Ipsec or Servicios" interface.
We want to know if this configuration works fine with Failover, or it is necesary (mandatory) put the secondary address in the interfaces.

Thanks

It is mandatory to put the

Marius Gunnerud — Tue, 30 Sep 2014 06:36:37 GMT

It is mandatory to put the secondary IP address on the interfaces. Putting the interface in shutdown to test failover is not the way to do it. This puts the interface in Administrative shutdown and the ASA is smart enough to realize this is not a failover situation. What you should do is unplug the cable from the IPsec and/or Servicio ports, then you should be able to see the failover happen.

Please remember to select a correct answer and rate helpful posts

Hello Marius,Well, I didn't

adiazcastro19 — Tue, 30 Sep 2014 19:53:38 GMT

Hello Marius,

Well, I didn't explain correctly. When I told that I put the interface in mode shutdown. I wanted to say that I put in mode shutdown the interface connected to the switch (not in the firewall). It is the same that unplug the cable, but the failover didn't work.
Then, if you say me that it is mandatory to put the secondary IP address, for me it is sufficient. But I don't find any document in cisco in where explain that it is mandatory.

Thanks

If memory serves me correct,

Marius Gunnerud — Wed, 01 Oct 2014 06:48:39 GMT

If memory serves me correct, if you do not have the secondary IP address configured that interface configuration will not be synchronized to the standby ASA. So in the sense that it must be required for the failover pair to be healthy...it is not required. But if you are setting up a failover pair and you do not want the interfaces to be replicated to the standby then there really is no point in setting up a failover pair.

Please remember to select a correct answer and rate helpful posts