07-16-2021 10:20 PM
Hi,
I have the below simple topology. I have only two public IPs from isp, One assigned on the CE router interface.
So one remaining for ASA outside interface. In that case, how can I assign a standby IP address like below
ASA1(config)# interface gi0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 192.168.2.254 255.255.255.0 standby 192.168.2.253
Or can I assign without a standby IP address like the one below
ASA1(config)# interface gi0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 5.5.5.2 255.255.255.0
What are the pros and cons without a standby IP address?
Thanks
07-17-2021 12:11 AM
You don't have to assign a secondary IP address to an interface, you just cannot monitor for failover if you don't.
If you only have 1 IP address free to assign to the ASA's outside interface, then you don't have much choice. Ensure you assign a secondary IP address to the inside interfaces and monitor for failover.
HTH
07-17-2021 03:11 AM
there is no attachment for topology
07-17-2021 12:06 PM
In my opinion there really are no "pro's" to not having a standby IP. As already mentioned, you will not be able to monitor the interface for a failover situation. Also, you will not be able to access the secondary ASA through the interface without the standby IP. Ofcourse, it is not a best practice to have management access to the device on the outside interface, but there might be situations where this could be required.
an advantage of having the standby IP is that if the failover link fails, the ASA will be able to send hello packets out the data interfaces to verify if the active ASA has actually failed or if it is just the failover link that is down.
07-18-2021 01:22 AM
Hi,
an advantage of having the standby IP is that if the failover link fails, the ASA will be able to send hello packets out the data interfaces to verify if the active ASA has actually failed or if it is just the failover link that is down.
What is the benefit of the above, I mean the situation when ASA understands only failover link failed ?
Second question in An active /standby HA scenario if I want to change configuration (1) to (2) , can I change straightaway ?
(1)
ASA1(config)# interface gi0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 5.5.5.2 255.255.255.0
(2)
ASA1(config)# interface gi0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 5.5.5.1 255.255.255.0 standby 5.5.5.2
Thanks
07-19-2021 11:43 AM
What is the benefit of the above, I mean the situation when ASA understands only failover link failed ?
If the failover link fails but the standby ASA has no way to check if this is a link failure or if the primary ASA is actually down you will have a split-brain situation where both ASAs will become active and this will cause other connectivity issues.
Second question in An active /standby HA scenario if I want to change configuration (1) to (2) , can I change straightaway ?
You can change it straight away, but I would not recommend doing it the way you suggested. Or at least, it would depend how the setup towards your ISP is, i.e. which IP they are using. if 5.5.5.1 is free I would suggest setting that as the standby IP as this will not cause any outage. changing the primary IP might cause outage.
ASA1(config)# interface gi0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 5.5.5.2 255.255.255.0 standby 5.5.5.1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide