topic Re: Single IP Failover Pair in Network Security

Single IP Failover Pair

manuadoor — Mon, 11 Mar 2019 17:14:43 GMT

Hi,

My internet leased line will be terminated on an ASA 5510 which is in Active/Passive Failover. My problem is I have got a /30 address range from ISP.

Total 2 IPs, one IP will be in ISP router.. and only 1 left for me.. I cannot use any extra device between ASA and ISP router.

Regards,

Manu B.

Re: Single IP Failover Pair

Federico Coto Fajardo — Thu, 25 Feb 2010 15:54:33 GMT

Hi,

Unfortunately not much to do here....

You need at least a /29 mask to allow an IP to both ASA's outside interfaces besides the default gateway.

You can ask your ISP for a /29 range.

Federico.

Re: Single IP Failover Pair

Panos Kampanakis — Thu, 25 Feb 2010 22:03:00 GMT

Failover will work just fine, the only problem would be for monitoring the interfaces and if you would like to log in to the standby from the outside you would have no ip available.

Many people run failover with no standby ip addresses. Not the ideal solution but failover will still work.

I hope it helps.

Re: Single IP Failover Pair

manuadoor — Fri, 26 Feb 2010 05:29:48 GMT

ok.. What I understand is I can make a failover pair with single ip, but for cannot monitor, login to standby asa thru outside interface.

Can you send the configurarion (link) for the same.

Re: Single IP Failover Pair

Panos Kampanakis — Fri, 26 Feb 2010 14:18:43 GMT

Here is the link that has it http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1058096

I hope it helps.

Re: Single IP Failover Pair

Kureli Sankar — Fri, 26 Feb 2010 14:23:07 GMT

Mandor,

No standby IP on the outside interface is very common. A lot of people are in the same situation as you. It may be simply incomplete configuration according to Cisco but, it certainly does not affect failover from working. If the primary/active unit were to fail due to some hardware failure certainly the secondary/standby unit will take over and become the active unit.

The solution to this problem is to use private IP between the firewall and the router and then use the /30 address space on the router facing the internet.

Inside network----(IN)ASA(OUT)----Private_IP---Router---Public /30 IP---Internet.

-KS

Single IP Failover Pair

dylan.webb — Mon, 13 Aug 2012 22:02:35 GMT

Hi,

Is this a valid cisco supported configuration - If i use this method (/30 on outside) on my pair of ASAs and have an issue that I need to contact the tac about, will they support me with this configuration?

Thanks

DGW

Single IP Failover Pair

zujalal — Tue, 14 Aug 2012 01:17:37 GMT

If you are using dynamic routing on the ASA, then not having a standby IP address will be a problem because in case of a failover, the ASA will not clear its routing table and reset the process. It needs an IP address on the interface to clear that.

Without a standby IP address, the ASA will leave the duplicate routes in place when the unit becomes active until they are cleared manually.

HTH.

Zubair

Single IP Failover Pair

dylan.webb — Tue, 14 Aug 2012 01:24:26 GMT

Is this a valid cisco supported configuration and will the Cisco TAC support this configuration?

Thanks

DGW

Single IP Failover Pair

zujalal — Tue, 14 Aug 2012 01:28:45 GMT

I dont see a reason why they wont support it. ASA provides the flexibility of using a single IP address for failover to work. If they didnt support it, i am sure the feature would not be there 🙂

However, if you face an issue with failover, the first thing that they will tell you is to use a standby IP address.

HTH

Zubair

Single IP Failover Pair

javi_cesp — Thu, 17 Jan 2013 11:13:53 GMT

Zujalal,

I didn't understand why is going to be a problew if you are using dynamyc routing and you don't have stand by ip configurated. Why is going to be duplicated routes? Would you be more especific?

Best regards.

Single IP Failover Pair

ALIAOF_ — Thu, 17 Jan 2013 17:41:26 GMT

Do you have to use the ISP router, can you connect the cable directly to the ASA? Also can't you get more IP's from your ISP like a /29

Single IP Failover Pair

cisconell — Tue, 19 Mar 2013 08:04:01 GMT

Hi guys,

since we have same ip configured "No standby ip " on outside interface of both ASA , when there is a failover , there will be a change in the MAC addreess associated with the outside ip address right ?

the isp will see a different mac each time during a failover from asa 1 to 2 or 2 to 1 .

Single IP Failover Pair

Jouni Forss — Tue, 19 Mar 2013 08:53:29 GMT

Hi,

The MAC address should be unchanged when a failover occurs. The Standby ASA inherits both the IP address and the same MAC address the previous Active unit was using.

Otherwise normally you would probably have downtime in the network connections if the ARP on the upstream router hasnt been updated to the new MAC.

- Jouni

Single IP Failover Pair

cisconell — Tue, 19 Mar 2013 16:06:16 GMT

So you mean even though we dont configure standby ip on the outside interface ...instead we have same ip address on both asa on outside interface there will not be any change in MAC.

So what make different in failover when we have ASA with standby ip configured on outside interface and with out standbyip.

My Understanding.

1.In both case failover happen successfully

2.No change in mac

3.monitor interface can be enabled on outside interface in both case .

Single IP Failover Pair

Kureli Sankar — Tue, 19 Mar 2013 16:10:05 GMT

cisconell,

That is correct. There is only one active IP and standby IP. In your case the standby IP is 0.0.0.0

The only problem with that is you cannot monitor the interface.

Failover will work perfectly fine but, Cisco recommends that you have an IP address configured as standby IP address.

-Kureli

Single IP Failover Pair

cisconell — Wed, 20 Mar 2013 09:39:14 GMT

Thanks Kureli,

The only problem with that is you cannot monitor the interface. -------which mean when the outiside interface of ASA 1 goes down it will not failover to ASA 2 ?

Or it even dont accept to apply the config monitor interface outside ?

Re: Single IP Failover Pair

geo — Mon, 09 Oct 2017 10:14:53 GMT

Dear Kureli,

i have the same issues from my ISP i have only one IP, so the failover will work fine right ?