Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2950
Views
0
Helpful
7
Replies

Cisco ASA Active/Standby | No standby IP address on the outside interface

aseemchhab
Level 1
Level 1

‎05-29-2016 06:08 AM - edited ‎03-12-2019 12:48 AM

Hi All,

I configured a pair of 5516s in failover. Since I did not have another IP for my internet facing interface, I did not confiugre a standby IP on it.

Once I failed over to the secondary ASA, the outside interface did not work. By not working, I mean that it did not accept traffic back. The switch tried to send it to the seconadry firewall but it just wouldn't do it.

As soon as I configured a standby IP address, the failover started working as it should.

As far as my knowledge goes, I don't need a standby IP address explicitly. Please correct me if I am wrong.

Also if a standby IP is needed then what should I do if I don't have one.

Thanks in advance!

Labels:
0 Helpful
7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-29-2016 07:34 AM

An explicit standby IP is not required. I've implemented Active-Standby ASA pairs many times without it. Normally the only downside is that the primary unit cannot fully monitor the secondary unit's outside interface since it is not externally addressable. (It does check the status via the peer unit's reporting of it though.)

When failover occurs, the newly active unit sends a gratuitous ARP to register its MAC address with the single outside IP address to any upstream devices. I'd look into whether the upstream gateway is seeing that ARP and acting accordingly.

0 Helpful

aseemchhab
Level 1
Level 1
In response to Marvin Rhoads

‎05-29-2016 09:18 PM

Hi Marvin. Thank you for your response. That's exactly what I thought. I checked the switch and it showed me that it was learning the correct MAC address on the correct port.

To confirm things, I just added a standby IP address and voila! The failover worked perfectly fine after that.

0 Helpful

johnlloyd_13
Level 9
Level 9
In response to aseemchhab

‎05-30-2016 01:42 AM

hi,

do you have mac-address auto configured?

0 Helpful

aseemchhab
Level 1
Level 1
In response to johnlloyd_13

‎05-30-2016 01:50 AM

I don't have it in the configuration. Also, I am using 9.5(2).

0 Helpful

johnlloyd_13
Level 9
Level 9
In response to aseemchhab

‎05-30-2016 01:55 AM

hi,

if you could arrange a downtime, remove the standby IP on the 'outside' interface, add mac-address auto command and test failover again using no failover active.

0 Helpful

aseemchhab
Level 1
Level 1
In response to johnlloyd_13

‎05-30-2016 01:58 AM

Thanks for the suggestion. It will be difficult to schedule a down time in the near future but I will definitely try it whenever I can.

It will be great if you can mention how that command can help in this case...

0 Helpful

johnlloyd_13
Level 9
Level 9
In response to aseemchhab

‎05-30-2016 02:01 AM

hi,

see useful link below regarding the use of this command in an ASA failover setup.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/contexts.html#wpxref82233

it would be nice if you can do this in order to save your public IP address.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card