Unable to Access Standby ASA in Active/Standby Configuration

Mohib01 · ‎02-07-2025

Hi,

I'm currently unable to connect to the standby ASA using ASDM or SSH. I can connect to the active ASA through the outside interface without any issues. However, as part of the ASA upgrade process, I need to access the standby unit via ASDM, but I haven't been able to.

I also noticed that on the standby ASA, all interfaces are showing 0.0.0.0, meaning they are inactive.

Here is my failover status for reference. I would appreciate your help in troubleshooting this.

Thanks in advance for your support.

Rob Ingram · ‎02-07-2025

@Mohib01 please provide the output of "show failover history"

From the active unit can you ping the standby IPs?

Mohib01 · ‎02-10-2025

Yes, from the active ASA, I can ping the standby IP, the IP of the failover link between the two, and here is the result of a show failover history

rschlayer · ‎02-09-2025

To add to the post of rob ingram, did you actually configure the standby IPs?

-

Rick

Aref Alsouqi · ‎02-10-2025

As @rschlayer mentioned, to access the standby device via its data interfaces you would need the standby IP address to be configured. For instance you would have an interface configured similar to this:

interface Gi0/1
nameif INSIDE
security-level 100
ip address 192.168.0.10 255.255.255.0 standby 192.168.0.20

If you don't configure the "standby" keyword then you won't be able to access the standby device on its data interfaces. You can still access it via console.

Configuring the standby IP addresses is not mandatory though, but it's a good practice and it doesn't have to be configured on all interfaces. For instance if you don't want to waste a public IP address by configuring one for the standby device then you can still configure the stnadby IP addresses for all the interfaces but the outside one. In that case you wouldn't be able to access the standby device via its outside interface or even ping it.