cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2951
Views
0
Helpful
7
Replies

Cisco ASA Active/Standby | No standby IP address on the outside interface

aseemchhab
Level 1
Level 1

Hi All,

I configured a pair of 5516s in failover. Since I did not have another IP for my internet facing interface, I did not confiugre a standby IP on it.

Once I failed over to the secondary ASA, the outside interface did not work. By not working, I mean that it did not accept traffic back. The switch tried to send it to the seconadry firewall but it just wouldn't do it.

As soon as I configured a standby IP address, the failover started working as it should.

As far as my knowledge goes, I don't need a standby IP address explicitly. Please correct me if I am wrong.

Also if a standby IP is needed then what should I do if I don't have one.

Thanks in advance!

7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

An explicit standby IP is not required. I've implemented Active-Standby ASA pairs many times without it. Normally the only downside is that the primary unit cannot fully monitor the secondary unit's outside interface since it is not externally addressable. (It does check the status via the peer unit's reporting of it though.)

When failover occurs, the newly active unit sends a gratuitous ARP to register its MAC address with the single outside IP address to any upstream devices. I'd look into whether the upstream gateway is seeing that ARP and acting accordingly.

Hi Marvin. Thank you for your response. That's exactly what I thought. I checked the switch and it showed me that it was learning the correct MAC address on the correct port.

To confirm things, I just added a standby IP address and voila! The failover worked perfectly fine after that.

hi,

do you have mac-address auto configured?

I don't have it in the configuration. Also, I am using 9.5(2).

hi,

if you could arrange a downtime, remove the standby IP on the 'outside' interface, add mac-address auto command and test failover again using no failover active.

Thanks for the suggestion. It will be difficult to schedule a down time in the near future but I will definitely try it whenever I can.

It will be great if you can mention how that command can help in this case...

hi,

see useful link below regarding the use of this command in an ASA failover setup.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/contexts.html#wpxref82233

it would be nice if you can do this in order to save your public IP address.

Review Cisco Networking for a $25 gift card