topic ASA5540 standby ip in Network Security https://community.cisco.com/t5/network-security/asa5540-standby-ip/m-p/1997523#M401155 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>1.) Looking at the network mask used in the interface it seems that the standby IP address is configured wrong. Also, there is not supposed to be any configurations related to the standby IP address. I mean no NAT configurations or access-list statements as its just there for the Failover to work. (To my understanding)</P><P></P><P>2.) What you should do is configure another IP from the same network range as the primary IP. When you change the standby IP address you naturally only configure it on the active device as the standby device automatically receives the configuration change from the primary device (provided that the actual failover is working properly)</P><P></P><P>3.) The IP ending in .120 cannot be used as its not from the same network range as .100 (when you are using a mask of /29) When you have a correct IP address from same network configured on the standby ASA you should be able to ping it and also see it on the "show arp" command on the ASA</P><P></P><P>- Jouni</P></BODY></HTML> Tue, 07 Aug 2012 07:56:46 GMT Jouni Forss 2012-08-07T07:56:46Z ASA5540 standby ip https://community.cisco.com/t5/network-security/asa5540-standby-ip/m-p/1997522#M401152 <P>Hi,</P><P></P><P>I have this 2x ASA5540 firewall and notice the it is configured with a standby ip. The firewall is run in Active/Passive mode.</P><P>However, the standby ip of this firewall is not point to the seconday firewall and vice versa for the primary firewall.</P><P></P><P><SPAN style="font-size: 10pt;">ASA5540_Pri</SPAN></P><P><SPAN style="font-family: arial,helvetica,sans-serif; font-size: 10pt;">interface GigabitEthernet0/1</SPAN></P><P></P><P><SPAN style="font-family: arial,helvetica,sans-serif; font-size: 10pt;">nameif dmz_pri</SPAN></P><P><SPAN style="font-family: arial,helvetica,sans-serif; font-size: 10pt;">security-level 50</SPAN></P><P></P><P><SPAN style="font-size: 12pt;"></SPAN></P><P><SPAN style="font-family: arial,helvetica,sans-serif; font-size: 10pt;">ip address x.x.x.100 255.255.255.248 standby x.x.x.120 </SPAN></P><P><SPAN style="font-size: 10pt; font-family: arial,helvetica,sans-serif; "> </SPAN><SPAN style="font-size: 10pt;"> </SPAN></P><P><SPAN style="font-size: 10pt; "> </SPAN><SPAN style="font-size: 10pt;">1) May i know how is this configuration valid in the first place? I have checked through the configuration. </SPAN></P><P><SPAN style="font-size: 10pt;">None of the configuration is related to this ip address.</SPAN></P><P><SPAN style="font-size: 12pt;"> </SPAN><SPAN style="font-size: 10pt;"> </SPAN></P><P><SPAN style="font-size: 10pt; "> </SPAN><SPAN style="font-size: 10pt;">2) Can we remove this standby ip address on both the firewall and correct to the correct primary and seconadary ip address in both firewall?</SPAN></P><P><SPAN style="font-size: 10pt; "> </SPAN><SPAN style="font-size: 10pt;"> </SPAN></P><P><SPAN style="font-size: 12pt; "> </SPAN><SPAN style="font-size: 10pt;">3) We tried to use this ip address but cannot be used ? Any idea is it related to the configuration of the standby ip address.</SPAN></P><P><SPAN style="font-size: 12pt;"> </SPAN><SPAN style="font-size: 10pt;">&nbsp;&nbsp;&nbsp; Do note that the ping to this ip address x.x.x.120 is unreachable.</SPAN></P><P></P><P></P><P><SPAN style="font-size: 10pt;">Regards</SPAN></P><P><SPAN style="font-size: 10pt;">KH</SPAN></P><P></P><P></P><P></P><P></P><P></P> Mon, 11 Mar 2019 23:39:02 GMT https://community.cisco.com/t5/network-security/asa5540-standby-ip/m-p/1997522#M401152 kian_hong2000 2019-03-11T23:39:02Z ASA5540 standby ip https://community.cisco.com/t5/network-security/asa5540-standby-ip/m-p/1997523#M401155 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>1.) Looking at the network mask used in the interface it seems that the standby IP address is configured wrong. Also, there is not supposed to be any configurations related to the standby IP address. I mean no NAT configurations or access-list statements as its just there for the Failover to work. (To my understanding)</P><P></P><P>2.) What you should do is configure another IP from the same network range as the primary IP. When you change the standby IP address you naturally only configure it on the active device as the standby device automatically receives the configuration change from the primary device (provided that the actual failover is working properly)</P><P></P><P>3.) The IP ending in .120 cannot be used as its not from the same network range as .100 (when you are using a mask of /29) When you have a correct IP address from same network configured on the standby ASA you should be able to ping it and also see it on the "show arp" command on the ASA</P><P></P><P>- Jouni</P></BODY></HTML> Tue, 07 Aug 2012 07:56:46 GMT https://community.cisco.com/t5/network-security/asa5540-standby-ip/m-p/1997523#M401155 Jouni Forss 2012-08-07T07:56:46Z