Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1732
Views
0
Helpful
5
Replies

interface level asa failover

Go to solution
vishal77
Level 1
Level 1

‎02-18-2020 02:50 AM - edited ‎02-21-2020 09:55 AM

Hello All,

 

Need to know is it mandatory to have an secondary ip addresss to an interface whose need to monitor in Active-Standby Asa failover.

 

Attaching my failover and interface configuration for your reference.

 

Device - Asa 5555-x

 

Failover On
Failover unit Primary
Failover LAN Interface: Failover GigabitEthernet0/7 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 5 of 516 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.8(2), Mate 9.8(2)
Serial Number: Ours xxxxxxxxxx, Mate Unknown.

 

interface GigabitEthernet0/3

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/3.1

 vlan 2

 nameif user1

 security-level 100

 ip address 192.168.1.1 255.255.255.128

 policy-route route-map PBR_NEW

!

interface GigabitEthernet0/3.2

 vlan 3

 nameif user2

 security-level 100

 ip address 192.168.1.129 255.255.255.128

!

interface GigabitEthernet0/3.3

 vlan 1

 nameif user3

 security-level 100

 ip address 172.31.1.1 255.255.254.0

 

Please help

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎02-18-2020 03:09 PM

It is not mandatory to have a secondary IP address on the interface.  If you do not have a secondary IP address on the interface the secondary ASA is not able to monitor the health of the primary ASA over that interface and therefore can only rely on the failover link for the primary ASA health.  This means that if there is an issue with the cable on the primary ASA interface no failover will occur as the secondary ASA sees the primary ASA as up over the failover link.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marius Gunnerud
VIP
VIP

‎02-18-2020 03:09 PM

It is not mandatory to have a secondary IP address on the interface.  If you do not have a secondary IP address on the interface the secondary ASA is not able to monitor the health of the primary ASA over that interface and therefore can only rely on the failover link for the primary ASA health.  This means that if there is an issue with the cable on the primary ASA interface no failover will occur as the secondary ASA sees the primary ASA as up over the failover link.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
vishal77
Level 1
Level 1
In response to Marius Gunnerud

‎02-25-2020 11:56 PM

Thanks for your help

0 Helpful

Go to solution
vishal77
Level 1
Level 1
In response to Marius Gunnerud

‎02-26-2020 06:25 AM

Hello Marius,

 

If I add secondary IP address to my interface (which was not previously) for my secondary ASA able to monitor the health of the primary ASA over that interface.

Then would I need downtime for same  as I need to do configuration changes  on Active Asa or else it would no impact ?

 

 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to vishal77

‎02-26-2020 07:18 AM

There is no impact when adding the secondary IP address.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
vishal77
Level 1
Level 1
In response to Marius Gunnerud

‎02-26-2020 07:49 PM

Thanks Marius
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card