cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

3569
Views
0
Helpful
10
Replies
Highlighted
Frequent Contributor

Need for use Standby IP in ASA

Hi all,

when we config DHCP pool in ASA   and config the VLAN  and assign it IP address.

Why we use Standby IP ?How can Primary address fail if they are on same interface

Thanks

Mahesh

4 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted

Hello Mahesh,

Not sure what you mean... Standby IP's on the ASA are used for the exchange of hello packets on the failover cluster.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Highlighted

Hello Mahesh,

You have it because you are running failover and in order to monitor an interface you will need to exchange hello packets between the primary ip and the standby ip. So you are basically telling the ASA send hello packets over this vlan to this secondary IP.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Highlighted

So this secondary IP is on backup fw then?

Yes.

Does it mean that if  Main Fw says powered off  then if i ssh to fw then still i will see the same fw hostname?

Also then which vlan IP it will show  under vlan ?

It will show same hostname and same vlan

if we have 2 fw in cluster and i log onto fw it shows info of only 1 fw is there a way i can get info of another fw in cluster

or i can login to backup fw?

You can log in to the backup or you can run commands from the primary unit but get the info from the secondary with the command:

     failover exec standby show run

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Highlighted

There is no such a command, you need to login into the secondary IP address. (straight login to secondary fw)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

10 REPLIES 10
Highlighted

Hello Mahesh,

Not sure what you mean... Standby IP's on the ASA are used for the exchange of hello packets on the failover cluster.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Highlighted

Hi,

I have ASA  with another ASA in failover cluster.

I have defined Vlan there and that vlan is doing DHCP.

So that vlan has IP address and also after ip address statement it has standby ip address.

Need to know why we have standby ip under that vlan?

thanks

mahesh

Highlighted

Hello Mahesh,

You have it because you are running failover and in order to monitor an interface you will need to exchange hello packets between the primary ip and the standby ip. So you are basically telling the ASA send hello packets over this vlan to this secondary IP.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Highlighted

Hi,

So this secondary IP is on backup fw then?

Does it mean that if  Main Fw says powered off  then if i ssh to fw then still i will see the same fw hostname?

Also then which vlan IP it will show  under vlan ?

if we have 2 fw in cluster and i log onto fw it shows info of only 1 fw is there a way i can get info of another fw in cluster

or i can login to backup fw?

Thanks

Mahesh

Highlighted

So this secondary IP is on backup fw then?

Yes.

Does it mean that if  Main Fw says powered off  then if i ssh to fw then still i will see the same fw hostname?

Also then which vlan IP it will show  under vlan ?

It will show same hostname and same vlan

if we have 2 fw in cluster and i log onto fw it shows info of only 1 fw is there a way i can get info of another fw in cluster

or i can login to backup fw?

You can log in to the backup or you can run commands from the primary unit but get the info from the secondary with the command:

     failover exec standby show run

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Highlighted

Hi,

So whats command to login to Secondary fw from primary

or can we straight login to secondary fw?

Thanks

Mahesh

Highlighted

There is no such a command, you need to login into the secondary IP address. (straight login to secondary fw)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Highlighted

hi julio,

Thanks again for all the replies.

Everyday learning more about ASa  from this forum

Regards

Mahesh

Highlighted

Hi Mahesh,

Glad that I could help

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted

Hi Julio,

 

Whats the use of standby ip in the management interface as below ? I know internal, external and HA interfaces have standby which is used to monitor the interfaces, receive hello packets and failover if such interfaces fail. But, when do we need standby ip for management interface ? any usecase can you tell me ?

 

interface Management0/0
nameif management
security-level 100
ip address 10.198.136.164 255.255.255.224 standby 10.198.136.165

 

Thanks.

Content for Community-Ad