AM

I question your assertion that:

ASA failover works fine without the standby address.

If you configure a pair of ASA for failover and use only a single address for the interface of the primary/active ASA then perhaps it works if there is a catastrophic failure of the primary/active ASA and the backup migt take over. But what happens if there is a problem with the interface of the primary/active ASA. How will the backup ASA determine that it needs to take over from the primary if it can not query the primary interface? And how will it query the primary interface unless it has its own address?

HTH

Rick

Ok. I understand that the standby IP address is used for monitoring the interface. What if I have multiple vlans in one interface? Is it relevant to configure standby addresses in all of them?

Regards,

AM

Yes standby ip for each vlan.

This link for more details-http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

Thanks

Ajay

I had read the document and found that it is not very clear about this subject.

If I have the following topology:

ASA-MAIN <802.1q> switch <802.1q over LACP > switch <802.1q> ASA-STDBY,

with the routers/gateways connected in the switches.

If one of the physical ports or equipment fails, I don't see what is the point of having multiple standby ip addresses in the vlan's that share the same physical port.

Regards,

Antonio

Hi Ajay, 

I'm also in a similar situation. Just wanted some clarification on your last sentence in your previous post "Note - Not going to part of failover incase of failure" are you saying if the standby IP is not set and something went wrong with the interface on the primary/active, then this particular interface will not failover to the standby firewall because there is no standby IP? Is'nt the failover link used to sync the connection states between the 2 firewalls? Also, in a situation where the entire primary/active firewall was to go down then I'm assuming the secondary will also takeover for this interface?

I will try to elaborate on what has already been said.

The standby IP is used to send hello packets between the active and standby firewalls in the instance that the failover link has failed.  In normal operating hello packets are sent over the failover link, if that link fails and you do not have any standby IPs configured you will end up with a split-brain situation where both firewalls become active.

Thanks Marius! that clarifies it.

Hi @mickpro77 

Would be good if you created a new post for this so that the solution is easier to find for other users, and not to mention that points and correct answers can be awarded to the contributor that posts a correct answer or helpful post.

That being said, so long as you are only touching the management interfaces there should be no issues with this.  All you need to do is remove the standby IP from the management interface, disable interface monitoring, and allocate a new / different subnet for the management network at one of the DCs.

Hi,

Thanks Marius.

That won't work though (see why in thread down below).

I've found a solution, thanks.

For those that may be interested, see my msg in the following thread:

https://community.cisco.com/t5/network-security/how-to-fix-mgmt-interface-ip-in-asa-failover-from-switching/td-p/3699643

So I take it you do not have FTD hardware then?  Please provide what model hardware you are running as this will affect the answers you get.  As ASA hardware is EOL or even EOS the assumption will be that you are running newer hardware.

If you are running FTD and have assigned an IP to FXOS management interface then you can jump to the ASA prompt by entering "connect asa"