cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
982
Views
0
Helpful
6
Replies

Failover, questions about outside interface.

davcommunay
Level 1
Level 1

Hello,

I have to configure a basic Active/Standby failover on CISCO ASA 5510.

Below is a quick description:

Ex:

ASA1 -- outside -- 11.11.11.1

ASA1 -- DMZ -- 172.16.0.1

ASA1 -- inside -- 192.168.1.1

ASA1 -- FAILOVERLINK -- 10.0.0.1

ASA2 -- outside -- 11.11.11.2

ASA2 -- DMZ -- 172.16.0.2

ASA2 -- inside -- 192.168.1.2

ASA2 -- FAILOVERLINK -- 10.0.0.2

I have several questions from there:

- Why is it required to configure IP addresses on the ASA2 (except for the FAILOVERLINK) ?

I mean, anyway if the Standby go in "active mode" he will take the "Active" (ASA1) network configuration. (so the ASA2{outside,dmz,inside} config will never be used ?)

- If it is required, will they be used by something ?

It could be a problem especially for the outside interface which is linked directly to the Internet provider...

I mean, supposing that the Internet provider only provide 1 external address, how should i configure the ASA2--outside interface ?

Thank you for your answers.

Regards,

David

6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Its true that in an ASA Failover pair only the Primary IP address is used for connections going through the ASA.

I would suspect though that the secondary/standby IP address is needed for the interface health monitoring. Both of the units send Hello -messages on all interfaces participating in the Failover (depends on configurations and interface types)

With your IP address for example Primary Unit sends Hello -messages with "inside" IP addres of 192.168.1.1 to Secondary Units IP address 192.168.1.2.

By default I think all physical interfaces are members Failover monitoring but if you configure trunk interfaces you will have to include those sub interfaces in the failover with the command "monitor-interface "

To your second question I ain't so sure. To my understanding you are not "forced" to configure a standby IP address to the secondary unit. Personally I have never been in a situation where I havent had enough IP addresses for the Secondary unit also.

- Jouni

Hi,

Thank you for this response.

I really can't find any doc exposing this kind of issue. (only 1 IP address possible for outside connections)

So i hope maybe someone else have a solution for that...

Regarding the FAILOVERLINK can you confirm it is possible to plug a RJ45 directly from ASA1(FAILOVERLINK) to ASA2(FAILOVERLINK) without using any switch ? (i don't see why it couldn't work but i prefer asking before ?

Thank you

Hi,

You can use a Ethernet cable to connect the ASAs directly.

This is pretty common when the ASAs are located in the same physical location.

I've also seen people use switches in between and sometimes this has also been done on the same physical link where the customer data interfaces are.

I prefer keeping Failover link totally separate from rest of the network if possible.

Regarding the Outside IP address issue I suggest you wait for an answer from someone else to confirm this. As  I said, I have always had a /29 network to use in Failover pairs outside and have never even thought about the situation you mentioned

- Jouni

Hi Jouni,

thank you very much!

Thi slink describe the same issue that i have:

http://www.gossamer-threads.com/lists/cisco/nsp/123908

It seems that the:

"no monitor-interface outside" command will permit me to avoid setting an IP address for outside interface on ASA2.

The main risk seems to be that if my ASA1--outside interface burns for any obscur reason the second firewall will not get active... Am i correct ?

David

You are correct that if you do not configure an IP address for the outside interface of the second ASA that the ASAs will not be able to monitor the status of the outside interface. So if there were to be some problem with the outside interface of ASA 1 then there would not be a failover to ASA 2. If you are willing to take that risk then you do not need an IP for the second outside interface.

I have implemented failover on 5510 with just a cable between interfaces (no switch) and it works.

HTH

Rick

HTH

Rick

Marvin Rhoads
Hall of Fame
Hall of Fame

I don't like "no monitor" on the outside interface. If I fail over to a device I want to know for certain that it's ready and able to take traffic. If the outside interface is not responding for whatever reason, that's cause for concern and needs to be remedied.

Another advantage of having an IP address on the standby unit's interfaces (inside and outside and other) is to be able to log into it directly. You seldom have to but when you do, it nice to be able to without trekking to the data center and consoling in. (Unless of course your DC has console servers for all your devices - in which case, good for you! unless... the console server itself is on the inside network, unreachability of which being the cause for you wanting to log into the ASA from the outside....)

And, yes, a straight RJ-45 ASA-ASA is fine for the failover link. The interfaces are MDI-X so no worries about crossover cable etc.

Review Cisco Networking for a $25 gift card