Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
229
Views
2
Helpful
3
Replies

ASA / Firepower - Active / Standby - IP addresses ?

Go to solution
Stephen Carter
Level 1
Level 1

‎02-19-2025 02:49 AM

Hi,

Solved: ASA Active/Standby - ip address - Cisco Community

With reference to the above question, I know that an ASA/Firepower (FP) can, in an active/standby set up, have two IP addresses configured for Management -

interface Management1/1
management-only
nameif management
security-level 100
ip address 111.211.111.1 255.255.255.240 standby 111.211.111.2

as this is what I have at present on both an ASA and FW pair of devices, so this enables you to 'look at' both devices at the same time.

 

Question is 'If a standby IP address is configured on the 'Outside' interface - will this allow the standby device to receive NTP and Smart licence updates ?'

As at present my system only has a 'public ip' on the active device, so when checked we see this, active to the left, standby to the right - 

StephenCarter_1-1739961690096.png

Or in an Active / Standby set up you can only have one 'live' public IP address ? here's an example of my config - 

interface Ethernet1/1
nameif internet
security-level 0
ip address 222.222.222.1 255.255.255.248

so could I do -

interface Ethernet1/1
nameif internet
security-level 0
ip address 222.222.222.1 255.255.255.248 standby 222.222.222.2

which would then allow both devices to be 'live' to the internet.

Advice gratefully received.

Stephen

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎02-19-2025 03:06 AM

Hello @Stephen Carter ,

do you have ASA or FTD ?

for ASA running ASA code the standby unit can be reached if you have the routable address for the standby unit

For ASA like 5525X with Firepower module and not managed by FMC you can be able to receive on standby outside it you have a public IP address for it.

For FTD devices I'm not sure but it is possible to make their management interfaces to route via the inside and so both units are able to reach smart license portal

Hope to help

Giuseppe

 

View solution in original post

3 Replies 3

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎02-19-2025 03:06 AM

Hello @Stephen Carter ,

do you have ASA or FTD ?

for ASA running ASA code the standby unit can be reached if you have the routable address for the standby unit

For ASA like 5525X with Firepower module and not managed by FMC you can be able to receive on standby outside it you have a public IP address for it.

For FTD devices I'm not sure but it is possible to make their management interfaces to route via the inside and so both units are able to reach smart license portal

Hope to help

Giuseppe

 

Go to solution
Stephen Carter
Level 1
Level 1
In response to Giuseppe Larosa

‎02-19-2025 03:12 AM

Hi @Giuseppe Larosa 

So, yes, we have 2 pairs of ASA (5515's) - so they will be running normal ASA s/w.

and 2 pairs of Firepowers (1120's) running ASA s/w.

So in answer to your post - it's appearing that when adding a standby IP address, if there is routing the device will be able to be contacted and thus NTP and other updates would be passed to / from the devices.

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Stephen Carter

‎02-19-2025 06:48 AM

Hello @Stephen Carter ,

the two ASA 5515 yes they can take advantage of the standby ip address

two pair  of FTD running ASA SW I have no direct experience of this.

in my case I use FTDs with FDM with FTD software.

Hope to help

Giuseppe

 

Customers Also Viewed These Support Documents