Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
538
Views
5
Helpful
4
Replies

ASA Failover on 5550

raajev007
Level 1
Level 1

‎07-10-2013 12:27 AM - edited ‎03-11-2019 07:10 PM

Hi,

I am new to ASA and like to know that if we can configure the failover on ASA with out standby ip addres.

Labels:
0 Helpful
4 Replies 4

Hardik Vaidh
Level 1
Level 1

‎07-10-2013 04:07 AM

HI Rajeev

i think u must have to configure standby ip. without standby how it's possible. ??

Configuring the failover

failover

failover lan unit primary

failover lan interface FOlink GigabitEthernet0/0

failover polltime unit msec 200 holdtime msec 800

failover polltime interface msec 500 holdtime 5

failover link FOlink GigabitEthernet0/0

failover interface ip FOlink 1.1.1.5 255.255.255.252 standby 1.1.1.6

barry
Level 7
Level 7
In response to Hardik Vaidh

‎07-10-2013 04:20 AM

Hi Hardik is correct (+5)

The Failover interface between the two ASAs must have IP addresses on both sides.

However your other interfaces do not have to have standby IP addresses.

I personally don't think this is a great idea, as IMHO it is important to monitor the standby IP addresses on your second firewall to ensure you won't get any problems if you fail over. However it is a valid configuration.

Where I do tend to to use this is on the Internet facing interface where I don't have a spare public IP address available for the failover unit.

HTH.

Barry Hesk

Intrinsic Network Solutions

0 Helpful

Hardik Vaidh
Level 1
Level 1
In response to barry

‎07-10-2013 04:32 AM

HI Barry.

1st you have to configure only primary firewall and it will sync autometically with secoundary firewall.

failover link ip 1.1.1.5 for primary and 1.1.1.6 for secounday firewall. it's  call heartbeat link.

also you have to configure interface

interface GigabitEthernet0/1

speed 1000

duplex full

nameif Outside

security-level 50

ip address 10.10.10.1 255.255.255.248 standby 10.10.10.2

0 Helpful

barry
Level 7
Level 7
In response to Hardik Vaidh

‎07-10-2013 04:50 AM

Hi Hardik

Yes, I know.

My comment is that once you have the failover link configured between the two ASAs, and they have performed a sync, you DON'T have to add standby IP addresses to the other interfaces. In your example above, you don't HAVE to assign 10.10.10.2 as a standby address on the outside interface. Failover will work fine without it.

IMHO its a good idea to add standby addresses so you can monitor them, but you don't have to.

Barry Hesk

Intrinsic Network Solutions

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card