HA Pair question

seth.doyen · ‎10-31-2023

Hey everyone!

I have a weird situation going on with my failover and I just wanted to make sure the best practice for the HA Pair of a FTD. I have two outside interfaces with the same IP and I think when they have the same IP it broke the HA pair.

Question I have is, Do I need to assign different IP addresses to the outside interface in a HA Pair?

Thanks!

seth.doyen · ‎10-31-2023

I did fail to mention that I do have a failover IP configured however both FTD's are currently using the same IP address

Rob Ingram · ‎10-31-2023

@seth.doyen best practice for an HA failover pair is to assign each interface a unique IP address on both FTDs. You don't have to assign an IP address to interface on both FTDs, but if you do not then you cannot monitor those interfaces.

Marius Gunnerud · ‎10-31-2023

Are we talking that you have two interfaces on the same ASA that have the same IP or the outside interface has the same IP on both the active and standby devices?

--
Please remember to select a correct answer and rate helpful posts

Eric R. Jones · ‎10-31-2023

First let me qualify this with the face we manage our FTD's via FMC.

Our outside, internet facing, interfaces have the same IP going to our perimeter router. Our inside interfaces have the same IP but our management interfaces have different IP's. Our VPN, seperate device, and DMZ connection, seperate device, have the same IP and various other devices, e.g. Syslog, have the same ip on the cooresponding interfaces so when failover occurs they talk to the same devices.