07-10-2013 12:27 AM - edited 03-11-2019 07:10 PM
Hi,
I am new to ASA and like to know that if we can configure the failover on ASA with out standby ip addres.
07-10-2013 04:07 AM
HI Rajeev
i think u must have to configure standby ip. without standby how it's possible. ??
Configuring the failover
failover
failover lan unit primary
failover lan interface FOlink GigabitEthernet0/0
failover polltime unit msec 200 holdtime msec 800
failover polltime interface msec 500 holdtime 5
failover link FOlink GigabitEthernet0/0
failover interface ip FOlink 1.1.1.5 255.255.255.252 standby 1.1.1.6
07-10-2013 04:20 AM
Hi Hardik is correct (+5)
The Failover interface between the two ASAs must have IP addresses on both sides.
However your other interfaces do not have to have standby IP addresses.
I personally don't think this is a great idea, as IMHO it is important to monitor the standby IP addresses on your second firewall to ensure you won't get any problems if you fail over. However it is a valid configuration.
Where I do tend to to use this is on the Internet facing interface where I don't have a spare public IP address available for the failover unit.
HTH.
Barry Hesk
Intrinsic Network Solutions
07-10-2013 04:32 AM
HI Barry.
1st you have to configure only primary firewall and it will sync autometically with secoundary firewall.
failover link ip 1.1.1.5 for primary and 1.1.1.6 for secounday firewall. it's call heartbeat link.
also you have to configure interface
interface GigabitEthernet0/1
speed 1000
duplex full
nameif Outside
security-level 50
ip address 10.10.10.1 255.255.255.248 standby 10.10.10.2
07-10-2013 04:50 AM
Hi Hardik
Yes, I know.
My comment is that once you have the failover link configured between the two ASAs, and they have performed a sync, you DON'T have to add standby IP addresses to the other interfaces. In your example above, you don't HAVE to assign 10.10.10.2 as a standby address on the outside interface. Failover will work fine without it.
IMHO its a good idea to add standby addresses so you can monitor them, but you don't have to.
Barry Hesk
Intrinsic Network Solutions
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide