https://community.cisco.com/t5/network-security/adding-sub-interfaces-to-a-active-standby-config/m-p/2347170#M311421 <P>Hello Experts,</P><P></P><P>I have a question about adding 2 new sub-interfaces to my firewall on active/standby config.</P><P></P><P>If <A></A>i add a new sub-interface to an active firewall with existing sub-interface, do i need to add thesame sub-interface config to the standby also? </P><P></P><P>I look forward to your response.</P><P></P><P>i.e <STRONG>on active firewall</STRONG></P><P></P><P>interface GigabitEthernet0/1.120</P><P>vlan 120</P><P>nameif Test</P><P>security-level 100</P><P>ip address 192.168.0.1 255.255.0.0&nbsp; </P><P></P><P><STRONG>Do i need to do the below on standby also</STRONG></P><P></P><P>interface GigabitEthernet0/1.120</P><P>vlan 120</P><P>nameif Test</P><P>security-level 100</P><P>ip address 192.168.0.1 255.255.0.0&nbsp; </P><P></P><P></P><P>Thanks</P> Tue, 12 Mar 2019 02:48:16 GMT smetieh001 2019-03-12T02:48:16Z https://community.cisco.com/t5/network-security/adding-sub-interfaces-to-a-active-standby-config/m-p/2347170#M311421 <P>Hello Experts,</P><P></P><P>I have a question about adding 2 new sub-interfaces to my firewall on active/standby config.</P><P></P><P>If <A></A>i add a new sub-interface to an active firewall with existing sub-interface, do i need to add thesame sub-interface config to the standby also? </P><P></P><P>I look forward to your response.</P><P></P><P>i.e <STRONG>on active firewall</STRONG></P><P></P><P>interface GigabitEthernet0/1.120</P><P>vlan 120</P><P>nameif Test</P><P>security-level 100</P><P>ip address 192.168.0.1 255.255.0.0&nbsp; </P><P></P><P><STRONG>Do i need to do the below on standby also</STRONG></P><P></P><P>interface GigabitEthernet0/1.120</P><P>vlan 120</P><P>nameif Test</P><P>security-level 100</P><P>ip address 192.168.0.1 255.255.0.0&nbsp; </P><P></P><P></P><P>Thanks</P> Tue, 12 Mar 2019 02:48:16 GMT https://community.cisco.com/t5/network-security/adding-sub-interfaces-to-a-active-standby-config/m-p/2347170#M311421 smetieh001 2019-03-12T02:48:16Z https://community.cisco.com/t5/network-security/adding-sub-interfaces-to-a-active-standby-config/m-p/2347171#M311422 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>In a Failover pair of ASAs you only add the interface configurations in the Active unit.</P><P></P><P>Note also in your above configuration example that you have NOT configured any <STRONG>"standby"</STRONG> IP address which defines the IP address that the Standby unit uses.</P><P></P><P>It should be</P><P></P><P><STRONG>interface GigabitEthernet0/1.120</STRONG></P><P><STRONG>vlan 120</STRONG></P><P><STRONG>nameif Test</STRONG></P><P><STRONG>security-level 100</STRONG></P><P><STRONG>ip address 192.168.0.1 255.255.0.0 standby 192.168.0.x</STRONG></P><P></P><P>Or something to that direction. The configurations are replicated from Active to Standby device so no need to configure interface on the Standby unit separately.</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 07 Oct 2013 16:08:22 GMT https://community.cisco.com/t5/network-security/adding-sub-interfaces-to-a-active-standby-config/m-p/2347171#M311422 Jouni Forss 2013-10-07T16:08:22Z https://community.cisco.com/t5/network-security/adding-sub-interfaces-to-a-active-standby-config/m-p/2347172#M311425 <HTML><HEAD></HEAD><BODY><P> Hi Jouni,</P><P></P><P>Thanks for your response. Do i have to do </P><P></P><P><STRONG>ip address 192.168.0.1 255.255.0.0 standby 192.168.0.x</STRONG></P><P><STRONG> </STRONG></P><P>I already have one sub-interafce configured with standby address like that (as above) while other subs are configured without standby? I guess what i am asking is that what is the impact of not using the "standby 192.168.0.x"?</P><P></P><P>Thanks again.</P></BODY></HTML> Mon, 07 Oct 2013 16:26:49 GMT https://community.cisco.com/t5/network-security/adding-sub-interfaces-to-a-active-standby-config/m-p/2347172#M311425 smetieh001 2013-10-07T16:26:49Z https://community.cisco.com/t5/network-security/adding-sub-interfaces-to-a-active-standby-config/m-p/2347173#M311426 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Well to my understanding the <STRONG>"standby"</STRONG> IP address is mainly used for the communication between the devices themselves to monitor the state of the devices and interfaces in the Failover. </P><P></P><P>It doesnt actually participate in passing traffic as the first IP address in the configuration is always used on the Active device, not the <STRONG>"standby"</STRONG>.</P><P></P><P>I don't see any reason not to configure the <STRONG>"standby"</STRONG> IP address on local interfaces (since you usually use private IP addresses that you dont really run out of). I guess some people do leave out the <STRONG>"standby"</STRONG> IP address on the <STRONG>"outside" </STRONG>interface if they dont have enough public IP addresses.</P><P></P><P>Also to my understanding if you create subinterfaces on an ASA that is part of a Failover pair then you will need a separate command <STRONG>"monitor-interface"</STRONG> to enable monitoring of this logical interface (subinterface). I think by default the ASA doesnt monitor a logical interface otherwise.</P><P></P><P>The ASA Configuration Guide and Command Reference documents contain a lot of valuable information about the ASA Failover behaviour.</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 07 Oct 2013 17:12:46 GMT https://community.cisco.com/t5/network-security/adding-sub-interfaces-to-a-active-standby-config/m-p/2347173#M311426 Jouni Forss 2013-10-07T17:12:46Z https://community.cisco.com/t5/network-security/adding-sub-interfaces-to-a-active-standby-config/m-p/2347174#M311428 <HTML><HEAD></HEAD><BODY><P> Thanks Jouni!</P></BODY></HTML> Mon, 07 Oct 2013 17:30:28 GMT https://community.cisco.com/t5/network-security/adding-sub-interfaces-to-a-active-standby-config/m-p/2347174#M311428 smetieh001 2013-10-07T17:30:28Z