ASA 5515-X active / standby single public IP configuration help

Mark19 · ‎03-25-2021

Hi all,

First post, please be kind (Networking is not my speciality)

We have an ASA 5515-X in a data centre, it is the edge device and has a single outside / public IP connected

I've been asked if these can be setup in an active / standby configuration, I've done some reading and have an understanding about failover links between the two devices and how the active config is replicated to the standby ASA.

However, as there is only a single Public IP address connected to the active unit, how does outbound / internet traffic flow if this unit was to fail and the secondary become the active?

Thanks in advance,

Mark

Marvin Rhoads · ‎03-25-2021

When the secondary unit becomes active it "takes over" the dataplane interface addresses from the previously active unit. It will issue gratuitous arp packets so that neighboring devices know that new mac addresses are handling those addresses.

Mark19 · ‎03-25-2021

Does that mean that traffic will continue to pass through the dead device to the now primary? I've attached an amateurish draw diagram

Sheraz.Salim · ‎03-25-2021

according to your diagram if the Origianl ASA setup as primary with one single ip address configured on outside interface. for some reason if the devices dead/bricked in that case your single ip address configured on the Original ASA will be passed to the Secondary Standby firewall. ofcouse at this stage as soon as the Primay active dies the Secondary ASA will become active as Marvin mentioned behind the scense GARP and Dataplane traffic.

please do not forget to rate.

johnlloyd_13 · ‎03-26-2021

hi,

the single 'outside' or public IP is fine. as others have mentioned, the public IP will 'failover' to the standby FW as long as the FW 'outside' ports are on the same VLAN (with ISP GW/port).