Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1214
Views
15
Helpful
3
Replies

Standby IP for Active-Standby Context Firewall

Go to solution
johnlloyd_13
Level 9
Level 9

‎02-22-2019 07:43 AM - edited ‎02-21-2020 08:51 AM

hi,

i'm going to migrate a standalone ASA5520 Context FW to a ASA5525-x HA.

my question is, can i configure the ASA5525-X context with just a single 'outside' IP? this is due to broken or discontiguous IP assignment.

will failover work to the secondary 5525-X FW even without the standby outside IP?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ngkin2010
Level 7
Level 7

‎02-22-2019 09:32 AM - edited ‎02-22-2019 09:33 AM

You don't need to get two IP address to make HA work.

# interface gi0/0
# nameif inside
# ip address <primary ip> standby <secondary ip>

The primary ASA always use the primary IP address, when it fail-over to another ASA, it will pick up the primary IP.

The secondary IP is for you to access the standby unit, have no special function on control plane / data plane.

 

That's mean, the following configuration should also work well.

 

# interface gi0/0
# nameif inside
# ip address <primary ip>

View solution in original post

3 Replies 3

Go to solution
ngkin2010
Level 7
Level 7

‎02-22-2019 09:32 AM - edited ‎02-22-2019 09:33 AM

You don't need to get two IP address to make HA work.

# interface gi0/0
# nameif inside
# ip address <primary ip> standby <secondary ip>

The primary ASA always use the primary IP address, when it fail-over to another ASA, it will pick up the primary IP.

The secondary IP is for you to access the standby unit, have no special function on control plane / data plane.

 

That's mean, the following configuration should also work well.

 

# interface gi0/0
# nameif inside
# ip address <primary ip>

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎02-22-2019 09:36 AM

Yes it will work, I tested this couple of times

Go to solution
venkat_n7
Level 1
Level 1

‎02-22-2019 11:44 AM

I did testing just now, that should work like others said. i gives warning but everything should be fine.

 

Please rate comments and support
with regards,
Venkat
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card