Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2213
Views
0
Helpful
4
Replies

ASA failover/state link down and no standby IP addresses

Uwe Siegrist
Level 1
Level 1

‎11-30-2018 05:37 AM - edited ‎02-21-2020 08:31 AM

Assume you have a FTD/ASA HA with combined failover/state link and no IP addresses configured on any interface.

What happens when Failover link turns down?

I think the active/standby roles remain on each device.

But what happens when active device gets an interface error (or something else which would cause a failover)? Is the standby device able to become active (with no standby IP and so with limited health check capabilities)?

So what is the pratically impact having no standby IP addresses? What would be a worst case scenario?

0 Helpful
4 Replies 4

Sheraz.Salim
VIP
VIP

‎11-30-2018 05:48 AM

Assume you have a FTD/ASA HA with combined failover/state link and no IP addresses configured on any interface.

What happens when Failover link turns down?

 

depends if failover does not have ip address and other interfaces are configured in active and stanby ip address than asa will work as normal and will be active and other pair will be as standby also if other interface are in monitor mode (by default ASA put the interface as monitor, apart from sub-interfaces you have to specify them in config to monitor the sub interface). 

 

 

But what happens when active device gets an interface error (or something else which would cause a failover)? Is the standby device able to become active (with no standby IP and so with limited health check capabilities)?

 

the answer of this question is already given in answer1.

 

 

So what is the pratically impact having no standby IP addresses? What would be a worst case scenario?

 

consider you have 2xASA and no standby ip on the other box. when for instance both firewall have power outrage and active asa never come on line. than issue can raise. as standby still waiting for the ACTIVE to come as the switch will have a mac address of active firewall. and does not know about the standby ASA unless you do clear arp on the swtich to learn the new mac address.

please do not forget to rate.
0 Helpful

Uwe Siegrist
Level 1
Level 1
In response to Sheraz.Salim

‎11-30-2018 10:53 AM

Hi Radio_City,

 

@Sheraz.Salim wrote:
depends if failover does not have ip address and other interfaces are configured in active and stanby ip address than asa will work as normal and will be active and other pair will be as standby also if other interface are in monitor mode (by default ASA put the interface as monitor, apart from sub-interfaces you have to specify them in config to monitor the sub interface).

sorry but I can't follow you.

What do you mean by "if failover does not have ip address and other interfaces are configured in active and standby ip address"?

To be clear I'm talking of one HA pair.

I meant the failover link has IP addresses (of course, it's mandatory) and the data interfaces don't have standby IPs. So the only way for active and standby peer to communicate to each other is over failover link. So what happens when this link goes down? How can the standby ASA be sure to change to active?

 

consider you have 2xASA and no standby ip on the other box. when for instance both firewall have power outrage and active asa never come on line. than issue can raise. as standby still waiting for the ACTIVE to come as the switch will have a mac address of active firewall. and does not know about the standby ASA unless you do clear arp on the swtich to learn the new mac address.

What you are talking about here is regarding virtual MAC addresses which are recommended for that reason.

 

 

0 Helpful

venkat_n7
Level 1
Level 1
In response to Uwe Siegrist

‎11-30-2018 12:22 PM

"I meant the failover link has IP addresses (of course, it's mandatory) and the data interfaces don't have standby IPs. So the only way for active and standby peer to communicate to each other is over failover link. So what happens when this link goes down? How can the standby ASA be sure to change to active?"

  - Most likely Yes. (to my knowledge - if primary goes down secondary should be active mode and pass traffic) Here secondary      IP addresses are not available. i will update the answer once make this testing and see what happens. 

 

 

" consider you have 2xASA and no standby ip on the other box. when for instance both firewall have power outrage and active asa never come on line. than issue can raise. as standby still waiting for the ACTIVE to come as the switch will have a mac address of active firewall. and does not know about the standby ASA unless you do clear arp on the swtich to learn the new mac address. " - this means when primary is active the interfaces like e1/e2 has ip addresses but no secondary ip address. there interfaces should have a MAC address. when packet reach the outbound next hop from this firewall, it is stored in arp/mac-tables with ip-address associated with mac-address on that device. Same way secondary firewall also have e1/e2 interfaces with primary ip address but different mac-address. when active is down and secondary is trying to send packet to outbound nexthop with same ip address and different mac-address, nexthop device wont accept it until you refresh the arp entry with that ip-address.

 

 

hope you got this. 

 

Please rate comments and support
with regards,
Venkat
0 Helpful

mkazam001
Level 3
Level 3

‎12-04-2018 03:48 PM

the best way to learn this is to lab it up & see how different configs effect the HA/Failover

thats how i started anyway :)

regards, mk

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card