Solved: standby ip addresses? are they necessary on all monitored interfaces for failover

bernard macharia · ‎05-24-2013

Hi all,

I need clarification on an interesting issue that I have observed while configuring an Active/Standby setup for using 2 x cisco 5525x with version 8.6;

Here's the setup, we have 4 subnets that we need to keep separate. I have connected each of the ASAs to the different subnets. However, only 1 subnet has standby ip address configured while all the other subnets only have an active address on the active firewall. As this is a failover scenario, I have 2 interfaces for both LAN and stateful failover.

I have just tested the failover on 2 of the subnets without any standby ip address and to my surprise all seems to be working as expected. Just need clarification on why we need standby addresses on the monitored interfaces when clearly the setup can work without any configured. Are there any implications with proceeding without the standby ip addresses?

Thanks

Karsten Iwen · ‎05-24-2013

Especially in your setup there can be happening much that can't be recognized by the ASA without a proper failover setup. That could be a mafunctioning port in your infrastructure for example.

But lets aproach it the other way round: What benefit do you see in setting it up in a non-standard way? Or what kind of problems do you expect? Typically the standby IP is only not configured if there is no IP available for example on the outside-interface.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Karsten Iwen · ‎05-24-2013

How did you test failover? Just with unplugging the interfaces? That can be easily recognized without the standby IPs. But if you have an indirect problem (e.g. ASA1 connected to switch1, ASA2 connected to switch2 and the link between the switches fail), then the ASAs need their "hello-protocol" and testing on the interfaces which can only be used if you configured the primary and the standby IP.

You find more info on that in the config-guide:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_overview.html#wp1079010

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

bernard macharia · ‎05-24-2013

thanks for the reply, I've looked into the attached configuration guide; However, in this setup I have each ASA connecting to a different switch on the core switch fabric and additionally, I have used cross-cable connections for both the LAN failover and the State failover link. For the ASAs to lose communication to each other would involve taking down the 3 links? right - 2 of which have no device that can be affected by power?

Thanks

Karsten Iwen · ‎05-24-2013

Especially in your setup there can be happening much that can't be recognized by the ASA without a proper failover setup. That could be a mafunctioning port in your infrastructure for example.

But lets aproach it the other way round: What benefit do you see in setting it up in a non-standard way? Or what kind of problems do you expect? Typically the standby IP is only not configured if there is no IP available for example on the outside-interface.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

bernard macharia · ‎08-02-2013

Thanks for the replies Karsten.

I agree when you phrase it that way - there's no benefit in setting it up in a non-standard way - ultimately it's the recommended best practise; only issue is that the client didnt want to allocate an ip address if there was no need to. I appreciate the help in explaining the implications and will try to get this done as expected.

Cheers