cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Need for use Standby IP in ASA

mahesh18
Frequent Contributor
Frequent Contributor

Hi all,

when we config DHCP pool in ASA   and config the VLAN  and assign it IP address.

Why we use Standby IP ?How can Primary address fail if they are on same interface

Thanks

Mahesh

4 ACCEPTED SOLUTIONS

Accepted Solutions

Julio Carvajal
Advisor
Advisor

Hello Mahesh,

Not sure what you mean... Standby IP's on the ASA are used for the exchange of hello packets on the failover cluster.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Hello Mahesh,

You have it because you are running failover and in order to monitor an interface you will need to exchange hello packets between the primary ip and the standby ip. So you are basically telling the ASA send hello packets over this vlan to this secondary IP.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

So this secondary IP is on backup fw then?

Yes.

Does it mean that if  Main Fw says powered off  then if i ssh to fw then still i will see the same fw hostname?

Also then which vlan IP it will show  under vlan ?

It will show same hostname and same vlan

if we have 2 fw in cluster and i log onto fw it shows info of only 1 fw is there a way i can get info of another fw in cluster

or i can login to backup fw?

You can log in to the backup or you can run commands from the primary unit but get the info from the secondary with the command:

     failover exec standby show run

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

There is no such a command, you need to login into the secondary IP address. (straight login to secondary fw)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

10 REPLIES 10

Julio Carvajal
Advisor
Advisor

Hello Mahesh,

Not sure what you mean... Standby IP's on the ASA are used for the exchange of hello packets on the failover cluster.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi,

I have ASA  with another ASA in failover cluster.

I have defined Vlan there and that vlan is doing DHCP.

So that vlan has IP address and also after ip address statement it has standby ip address.

Need to know why we have standby ip under that vlan?

thanks

mahesh

Hello Mahesh,

You have it because you are running failover and in order to monitor an interface you will need to exchange hello packets between the primary ip and the standby ip. So you are basically telling the ASA send hello packets over this vlan to this secondary IP.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi,

So this secondary IP is on backup fw then?

Does it mean that if  Main Fw says powered off  then if i ssh to fw then still i will see the same fw hostname?

Also then which vlan IP it will show  under vlan ?

if we have 2 fw in cluster and i log onto fw it shows info of only 1 fw is there a way i can get info of another fw in cluster

or i can login to backup fw?

Thanks

Mahesh

So this secondary IP is on backup fw then?

Yes.

Does it mean that if  Main Fw says powered off  then if i ssh to fw then still i will see the same fw hostname?

Also then which vlan IP it will show  under vlan ?

It will show same hostname and same vlan

if we have 2 fw in cluster and i log onto fw it shows info of only 1 fw is there a way i can get info of another fw in cluster

or i can login to backup fw?

You can log in to the backup or you can run commands from the primary unit but get the info from the secondary with the command:

     failover exec standby show run

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi,

So whats command to login to Secondary fw from primary

or can we straight login to secondary fw?

Thanks

Mahesh

There is no such a command, you need to login into the secondary IP address. (straight login to secondary fw)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

hi julio,

Thanks again for all the replies.

Everyday learning more about ASa  from this forum

Regards

Mahesh

Hi Mahesh,

Glad that I could help

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

 

Whats the use of standby ip in the management interface as below ? I know internal, external and HA interfaces have standby which is used to monitor the interfaces, receive hello packets and failover if such interfaces fail. But, when do we need standby ip for management interface ? any usecase can you tell me ?

 

interface Management0/0
nameif management
security-level 100
ip address 10.198.136.164 255.255.255.224 standby 10.198.136.165

 

Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: