https://community.cisco.com/t5/network-security/asa-failover-a-s-eigrp/m-p/2125697#M394410 <P>Greetings,</P><P></P><P>This is a question concerning EIGRP and static routes on our ASA Failover pair in an A/S configuration. The Active ASA is participating in an EIGRP AS and the Standby doesn’t receive any of the EIGRP routes, which, if I understand correctly, is the expected behavior. The problem that we are trying to solve is how to use a Network Management Server (NSM) to actively monitor via ICMP the Standby in case it goes down. This is not working now because NMS is not directly connected to the A/S failover pair and thus it cannot ping the Standby firewall since there is no route back to the NMS. Our proposed solution is to add a static route that points to the NMS. We believe the best way to do this is to configure the route with higher administrative distance than EIGRP (&gt;90) so the Standby firewall would have a route back to the NMS and it wouldn’t affect the active EIGRP routing. Please let me know if we what were are proposing is a good practice. Any suggestions would be appreciated. Thanks for the assitance.</P><P></P><P>fwco01# show running-config router&nbsp; </P><P>!</P><P>router eigrp 200</P><P>no auto-summary</P><P>eigrp stub connected static summary</P><P>network 10.NNN.0.0 255.0.0.0</P><P>passive-interface default</P><P>no passive-interface DMZ</P><P>no passive-interface OUTSIDE</P><P>no passive-interface OUTSIDE-BACKUP</P><P>redistribute static</P><P>!</P><P></P><P>Proposed Route:</P><P>route DMZ 10.NNN.79.250 255.255.255.255 10.NNN.249.252 100</P> Tue, 12 Mar 2019 00:34:55 GMT kkeelan 2019-03-12T00:34:55Z https://community.cisco.com/t5/network-security/asa-failover-a-s-eigrp/m-p/2125697#M394410 <P>Greetings,</P><P></P><P>This is a question concerning EIGRP and static routes on our ASA Failover pair in an A/S configuration. The Active ASA is participating in an EIGRP AS and the Standby doesn’t receive any of the EIGRP routes, which, if I understand correctly, is the expected behavior. The problem that we are trying to solve is how to use a Network Management Server (NSM) to actively monitor via ICMP the Standby in case it goes down. This is not working now because NMS is not directly connected to the A/S failover pair and thus it cannot ping the Standby firewall since there is no route back to the NMS. Our proposed solution is to add a static route that points to the NMS. We believe the best way to do this is to configure the route with higher administrative distance than EIGRP (&gt;90) so the Standby firewall would have a route back to the NMS and it wouldn’t affect the active EIGRP routing. Please let me know if we what were are proposing is a good practice. Any suggestions would be appreciated. Thanks for the assitance.</P><P></P><P>fwco01# show running-config router&nbsp; </P><P>!</P><P>router eigrp 200</P><P>no auto-summary</P><P>eigrp stub connected static summary</P><P>network 10.NNN.0.0 255.0.0.0</P><P>passive-interface default</P><P>no passive-interface DMZ</P><P>no passive-interface OUTSIDE</P><P>no passive-interface OUTSIDE-BACKUP</P><P>redistribute static</P><P>!</P><P></P><P>Proposed Route:</P><P>route DMZ 10.NNN.79.250 255.255.255.255 10.NNN.249.252 100</P> Tue, 12 Mar 2019 00:34:55 GMT https://community.cisco.com/t5/network-security/asa-failover-a-s-eigrp/m-p/2125697#M394410 kkeelan 2019-03-12T00:34:55Z https://community.cisco.com/t5/network-security/asa-failover-a-s-eigrp/m-p/2125698#M394415 <HTML><HEAD></HEAD><BODY><P>Hello Ken,</P><P></P><P>To be honest with you, that sounds good but what I am not sure is the fact that the standby unit does not have a routing table at all so wheter it has a route on its routing table is not gonna use it.</P><P></P><P>So what I would do is to take advantage of the Proxy-arp feature with ARP <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>We know the Standby ASA knows how to reach the primary unit right ( If this were not the case how would it exchange hello packets with the primary one) so what we could do is to let the primary ( Active) ASA the following:</P><P>-Perfom a nat translation from the NMS machine to the asa primary interface ip address when the destination is the standby ip addres <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN> In this case the secondary unit will receive the packet and it will know where to reply...</P><P></P><P>Let me know if you could test both of them and of course share the result</P><P></P><P>Julio</P></BODY></HTML> Sat, 08 Dec 2012 06:53:09 GMT https://community.cisco.com/t5/network-security/asa-failover-a-s-eigrp/m-p/2125698#M394415 Julio Carvajal 2012-12-08T06:53:09Z