Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

Firewall Failover without standby address

adiazcastro19
Level 1
Level 1

‎09-29-2014 12:59 PM - edited ‎03-11-2019 09:50 PM


Hello,

We have two ASA5525 in mode failover. Only one them has IP address configuration. For example:

!
interface GigabitEthernet0/0
 description outside
 nameif outside
 security-level 0
 ip address 71.210.56.231 255.255.255.252 
!
interface GigabitEthernet0/1
 description DMZ_Servicios
 nameif DMZ_Servicios
 security-level 50
 ip address 192.168.1.1 255.255.255.0 
!
interface GigabitEthernet0/2
 description DMZ_IPSEC
 nameif DMZ_IPSEC
 security-level 40
 ip address 10.110.61.225 255.255.255.240 
!

ASA# sh running-config | i failover
failover
failover lan unit primary
failover lan interface failoverlan GigabitEthernet0/7
failover key *****
failover link failoverlan GigabitEthernet0/7
failover interface ip failoverlan 1.1.1.1 255.255.255.252 standby 1.1.1.2
!

ASA# sh failover 
Failover On 
Failover unit Primary
Failover LAN Interface: failoverlan GigabitEthernet0/7 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 216 maximum
Version: Ours 9.1(2), Mate 9.1(2)
Last Failover at: 08:10:17 UTC Sep 2 2014
        This host: Primary - Active 
                Active time: 2348911 (sec)
                slot 0: ASA5525 hw/sw rev (1.0/9.1(2)) status (Up Sys)
                  Interface outside (71.210.56.231): Normal (Not-Monitored)
                  Interface DMZ_Servicios (192.168.1.1): Normal (Waiting)
                  Interface DMZ_IPSEC (10.110.61.225): Normal (Waiting)
                  Interface inside (10.115.70.18): Normal (Not-Monitored)
        Other host: Secondary - Standby Ready 
                Active time: 0 (sec)
                slot 0: ASA5525 hw/sw rev (1.0/9.1(2)) status (Up Sys)
                  Interface outside (0.0.0.0): Normal (Not-Monitored)
                  Interface DMZ_Servicios (0.0.0.0): Unknown (Waiting)
                  Interface DMZ_IPSEC (0.0.0.0): Unknown (Waiting)
                  Interface inside (0.0.0.0): Normal (Not-Monitored)      
!

If we put the secondary address in the interface, the failover works fine when we put in mode shutdown the interface (IPSEC or Servicio), but with this configuration, the secondary FW only works when the primary FW is down. 
Although we put in mode  monitor the interfaces (Servicios and IPSEC), the secondary FW doesn´t work if we put in mode shutdown the "Ipsec or Servicios" interface.
We want to know if this configuration works fine with Failover, or it is necesary (mandatory) put the secondary address in the interfaces.

Thanks

1 person had this problem
Labels:
0 Helpful
Who Me Too'd this topic