Active/Standby ASA with only 1 IP address on Outside interface?

ds6123 · ‎03-23-2012

Suppose I have an ASA with only a /30 subnet on my outside interface going to my ISP (I have one IP, the ISP has one and then I'm out usable addresses for the /30). If I want to add a second ASA for active/standby redundancy, do I absolutely have to have a failover IP on the outside interface?

Having one on the DMZ or Inside isn't a problem (plenty of addresses left for that).

Does the ASA use IP-based keepalives on all of its interfaces (as opposed to some layer-2 keepalives)? I suspect having the failover interfaces and the inside/dmz interfaces all exchanging keepalives is probably good enough for basic failover to occur should something actually fail.

Suppose somebody accidentally unplugs the outside interface of the active firewall. Since there isn't an IP address on both outside interfaces, would failover occur? Would simply losing ethernet link cause a failover?

mirober2 · ‎03-27-2012

Hello,

It's not absolutely required to have a standby IP address, but it is definitely recommended. Failover will still work at a device level and the units will still sync, but you won't be able to use interface monitoring on the outside interface, dynamic routing protocols, or manage the Standby unit from the outside.

A failover will still occur if the link on the outside interface goes down as this will be seen as a device-level failure.

-Mike

Marvin Rhoads · ‎03-27-2012

I don't have a spare pair to try NOT doing it on, but the CLI configuration guides notes lists the step "Configure standby addresses for all IP addresses" as a prerequisite for setting up high availability.

ajay chauhan · ‎03-28-2012

Yes you can configure with one IP adress leave standby on outside.

But make sure monitoring is disabled on outside interface.

Disable Monitor interface-

no monitor-interface outside

Thanks

Ajay