12-18-2011 05:32 PM - edited 03-11-2019 03:03 PM
It seems that ASA failover works fine without the standby address. What is the advantage of wasting an IP address?
Regards,
AM
Solved! Go to Solution.
12-20-2011 05:05 AM
In that case you can do it without standby also but for management purpose you should have IP on standby also. Thats basically for monitor interface and both exchange hello out of that interface.
For example suppose you have only one public IP so no option to configure standby IP for secondary unit in that monitor interface can be disabled . Note- Not going to part of failover incase of failure.
Thanks
Ajay
12-18-2011 06:18 PM
Hello Ajtm,
The standby ip address will be used in order to exchange hello packets between the interfaces of the active unit ( ip address) and the standby unit (ip address).
If the interfaces do not exchange hello packets the state of that interface will be normal (waiting) witch will cause some issues if you are monitoring that interface.
Please rate helpful posts,
Kind regards,
Julio
12-18-2011 07:58 PM
AM
I question your assertion that:
ASA failover works fine without the standby address.
If you configure a pair of ASA for failover and use only a single address for the interface of the primary/active ASA then perhaps it works if there is a catastrophic failure of the primary/active ASA and the backup migt take over. But what happens if there is a problem with the interface of the primary/active ASA. How will the backup ASA determine that it needs to take over from the primary if it can not query the primary interface? And how will it query the primary interface unless it has its own address?
HTH
Rick
12-20-2011 03:27 AM
Ok. I understand that the standby IP address is used for monitoring the interface. What if I have multiple vlans in one interface? Is it relevant to configure standby addresses in all of them?
Regards,
AM
12-20-2011 03:49 AM
Yes standby ip for each vlan.
This link for more details-http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml
Thanks
Ajay
12-20-2011 04:16 AM
I had read the document and found that it is not very clear about this subject.
If I have the following topology:
ASA-MAIN <802.1q> switch <802.1q over LACP > switch <802.1q> ASA-STDBY,
with the routers/gateways connected in the switches.
If one of the physical ports or equipment fails, I don't see what is the point of having multiple standby ip addresses in the vlan's that share the same physical port.
Regards,
Antonio
12-20-2011 05:05 AM
In that case you can do it without standby also but for management purpose you should have IP on standby also. Thats basically for monitor interface and both exchange hello out of that interface.
For example suppose you have only one public IP so no option to configure standby IP for secondary unit in that monitor interface can be disabled . Note- Not going to part of failover incase of failure.
Thanks
Ajay
08-03-2022 11:10 AM
Hi Ajay,
I'm also in a similar situation. Just wanted some clarification on your last sentence in your previous post "Note - Not going to part of failover incase of failure" are you saying if the standby IP is not set and something went wrong with the interface on the primary/active, then this particular interface will not failover to the standby firewall because there is no standby IP? Is'nt the failover link used to sync the connection states between the 2 firewalls? Also, in a situation where the entire primary/active firewall was to go down then I'm assuming the secondary will also takeover for this interface?
08-03-2022 12:43 PM
I will try to elaborate on what has already been said.
The standby IP is used to send hello packets between the active and standby firewalls in the instance that the failover link has failed. In normal operating hello packets are sent over the failover link, if that link fails and you do not have any standby IPs configured you will end up with a split-brain situation where both firewalls become active.
08-03-2022 01:25 PM
Thanks Marius! that clarifies it.
09-13-2024 04:12 PM - edited 09-13-2024 04:18 PM
Hi,
I have a related scenario/question.
At the moment we have 2 ASA FWs in a stateful pair, they physically are in different locations through, 1 is in DC-A and the other one in DC-B.
They are interconnected via VLANs that run through backbone switches, core routers and then "stretched" across locations/DCs via xconnects.
Which creates broadcast domains covering 2 different and distant locations.
Like so:
FW-A ----- SW-A ----- CORE-A ----- CORE-B ----- SW-B ----- FW-B
And that for all interfaces:
Inside
Outside
MGT
Failover
Where each interface uses a different VLAN:
Inside - VLAN2
Outside - VLAN3
MGT - VLAN4
Failover - VLAN5
A total of 4 VLANs stretched therefore.
From a L3 perspective it looks like this:
Inside - 10.0.0.1/24 (DC-A) standby 10.0.0.2 (DC-B)
Outside - 11.0.0.1/24 (DC-A) standby 11.0.0.2 (DC-B)
MGT - 172.16.0.1/24 (DC-A) standby 172.16.0.2 (DC-B)
Failover - none (failover works with L2 only AFAIK)
And it's working fine.
Now, we want to migrate the MGT interfaces to a new MGT VLAN.
VLAN6 for example.
Problem is, VLAN6 is NOT stretched across DCs, and we don't want it to be.
It exists in both locations but it's secluded per-DC.
And it's associated to a different IP subnet per-DC.
DC-A VLAN6 = 172.17.0.0/24
DC-B VLAN6 = 172.18.0.0/24
It's important to say that we do not want to change anything else, only MGT!
How can we achieve this?
Can we not simply disable failover on MGT (only) so each FW has a fixed and dedicated MGT IP instead of inter-changing ones?
If even possible, how would that work with replication though?
09-16-2024 12:16 AM
Hi @mickpro77
Would be good if you created a new post for this so that the solution is easier to find for other users, and not to mention that points and correct answers can be awarded to the contributor that posts a correct answer or helpful post.
That being said, so long as you are only touching the management interfaces there should be no issues with this. All you need to do is remove the standby IP from the management interface, disable interface monitoring, and allocate a new / different subnet for the management network at one of the DCs.
09-18-2024 10:11 AM
Hi,
Thanks Marius.
That won't work though (see why in thread down below).
I've found a solution, thanks.
For those that may be interested, see my msg in the following thread:
09-18-2024 12:34 PM
So I take it you do not have FTD hardware then? Please provide what model hardware you are running as this will affect the answers you get. As ASA hardware is EOL or even EOS the assumption will be that you are running newer hardware.
If you are running FTD and have assigned an IP to FXOS management interface then you can jump to the ASA prompt by entering "connect asa"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide