Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
372
Views
0
Helpful
3
Replies

Firewall Failover without standby address

Go to solution
adiazcastro19
Level 1
Level 1

‎09-29-2014 12:55 PM - edited ‎03-11-2019 09:50 PM


Hello,

We have two ASA5525 in mode failover. Only one them has IP address configuration. For example:

!
interface GigabitEthernet0/0
 description outside
 nameif outside
 security-level 0
 ip address 71.210.56.231 255.255.255.252 
!
interface GigabitEthernet0/1
 description DMZ_Servicios
 nameif DMZ_Servicios
 security-level 50
 ip address 192.168.1.1 255.255.255.0 
!
interface GigabitEthernet0/2
 description DMZ_IPSEC
 nameif DMZ_IPSEC
 security-level 40
 ip address 10.110.61.225 255.255.255.240 
!

ASA# sh running-config | i failover
failover
failover lan unit primary
failover lan interface failoverlan GigabitEthernet0/7
failover key *****
failover link failoverlan GigabitEthernet0/7
failover interface ip failoverlan 1.1.1.1 255.255.255.252 standby 1.1.1.2
!

ASA# sh failover 
Failover On 
Failover unit Primary
Failover LAN Interface: failoverlan GigabitEthernet0/7 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 216 maximum
Version: Ours 9.1(2), Mate 9.1(2)
Last Failover at: 08:10:17 UTC Sep 2 2014
        This host: Primary - Active 
                Active time: 2348911 (sec)
                slot 0: ASA5525 hw/sw rev (1.0/9.1(2)) status (Up Sys)
                  Interface outside (71.210.56.231): Normal (Not-Monitored)
                  Interface DMZ_Servicios (192.168.1.1): Normal (Waiting)
                  Interface DMZ_IPSEC (10.110.61.225): Normal (Waiting)
                  Interface inside (10.115.70.18): Normal (Not-Monitored)
        Other host: Secondary - Standby Ready 
                Active time: 0 (sec)
                slot 0: ASA5525 hw/sw rev (1.0/9.1(2)) status (Up Sys)
                  Interface outside (0.0.0.0): Normal (Not-Monitored)
                  Interface DMZ_Servicios (0.0.0.0): Unknown (Waiting)
                  Interface DMZ_IPSEC (0.0.0.0): Unknown (Waiting)
                  Interface inside (0.0.0.0): Normal (Not-Monitored)      
!

If we put the secondary address in the interface, the failover works fine when we put in mode shutdown the interface (IPSEC or Servicio), but with this configuration, the secondary FW only works when the primary FW is down. 
Although we put in mode  monitor the interfaces (Servicios and IPSEC), the secondary FW doesn´t work if we put in mode shutdown the "Ipsec or Servicios" interface.
We want to know if this configuration works fine with Failover, or it is necesary (mandatory) put the secondary address in the interfaces.

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to adiazcastro19

‎09-30-2014 11:48 PM

If memory serves me correct, if you do not have the secondary IP address configured that interface configuration will not be synchronized to the standby ASA.  So in the sense that it must be required for the failover pair to be healthy...it is not required.  But if you are setting up a failover pair and you do not want the interfaces to be replicated to the standby then there really is no point in setting up a failover pair.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marius Gunnerud
VIP
VIP

‎09-29-2014 11:36 PM

It is mandatory to put the secondary IP address on the interfaces.  Putting the interface in shutdown to test failover is not the way to do it.  This puts the interface in Administrative shutdown and the ASA is smart enough to realize this is not a failover situation.  What you should do is unplug the cable from the IPsec and/or Servicio ports, then you should be able to see the failover happen.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
adiazcastro19
Level 1
Level 1
In response to Marius Gunnerud

‎09-30-2014 12:53 PM

Hello Marius,

Well, I didn't explain correctly. When I told that I put the interface in mode shutdown. I wanted to say that I put in mode shutdown the interface connected to the switch (not in the firewall). It is the same that unplug the cable, but the failover didn't work.
Then, if you say me that it is mandatory to put the secondary IP address, for me it is sufficient. But I don't find any document in cisco in where explain that it is mandatory.

Thanks

 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to adiazcastro19

‎09-30-2014 11:48 PM

If memory serves me correct, if you do not have the secondary IP address configured that interface configuration will not be synchronized to the standby ASA.  So in the sense that it must be required for the failover pair to be healthy...it is not required.  But if you are setting up a failover pair and you do not want the interfaces to be replicated to the standby then there really is no point in setting up a failover pair.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card