Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1565
Views
0
Helpful
2
Replies

secondary ip question for ASA failover

Go to solution
jkay18041
Level 3
Level 3

‎08-20-2019 04:57 PM

I'm setting up 2 ASA's in failover mode (active and passive) 

 

g0/0 is my wan (public IP)

g0/1 is my lan (local IP)

g0/5 is the lan failover (local IP)

 

Do I need a secondary IP on all of those interfaces or just on the lan failover?

 

Also for the state failover when I choose the interface the box to type the IP is still greyed out. Does it not need an IP? Do most people just make g0/5 a sub interface and do the lan failover on g0/5.1 and the state failover on g0/5.2?

 

Thank you for the help and advice

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-20-2019 11:09 PM - edited ‎08-20-2019 11:48 PM

Hello jkay18041,

>> Do I need a secondary IP on all of those interfaces or just on the lan failover?

the two ASA in failover mode requires two IP addresses for each interface. This means you cannot use /30 IP subnets you need at least /29 subnets on each segment.

 

The configuration is performed on the Active ASA using commands like

interface  "LAN"

ip address 172.16.20.1 255.255.255.0 standby 172.16.20.2 255.255.255.0

 

for each interface.

 

Edit:

for the state failover I would expect it to use a different interface dedicated to this purpose because it can use a lot of traffic because state failover means synchronization of session data between active and standby ( current flows, current NAT entries) to make the standby able to be operational as soon as possible in case of switchover.

The failover cable should be used only to keep in sync the configuration. This requires far less traffic as only config changes are sent over it and it is used as an heartbeat to know if the other unit is alive.

 

What ASA model are you using and what SW version ? I guess you are using ASDM GUI to configure it.

 

Edit 2:

I have seen in another thread that you have opened that you have ASA 5515 with 9.12 SW and ASDM 7.12

 

see the following chapter from configuration guide about failover config on the CLI

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa912/configuration/general/asa-912-general-config/ha-failover.html#ID-2107-00000060

 

and the corresponding chapter for ASDM 7.12

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa912/asdm712/general/asdm-712-general-config/ha-failover.html

 

I would recommend to use a dedicated link for stateful failover. Connect the two units directly as traffic is sent in clear text over the failover and stateful failover cables.

 

Hope to help

Giuseppe

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-20-2019 11:09 PM - edited ‎08-20-2019 11:48 PM

Hello jkay18041,

>> Do I need a secondary IP on all of those interfaces or just on the lan failover?

the two ASA in failover mode requires two IP addresses for each interface. This means you cannot use /30 IP subnets you need at least /29 subnets on each segment.

 

The configuration is performed on the Active ASA using commands like

interface  "LAN"

ip address 172.16.20.1 255.255.255.0 standby 172.16.20.2 255.255.255.0

 

for each interface.

 

Edit:

for the state failover I would expect it to use a different interface dedicated to this purpose because it can use a lot of traffic because state failover means synchronization of session data between active and standby ( current flows, current NAT entries) to make the standby able to be operational as soon as possible in case of switchover.

The failover cable should be used only to keep in sync the configuration. This requires far less traffic as only config changes are sent over it and it is used as an heartbeat to know if the other unit is alive.

 

What ASA model are you using and what SW version ? I guess you are using ASDM GUI to configure it.

 

Edit 2:

I have seen in another thread that you have opened that you have ASA 5515 with 9.12 SW and ASDM 7.12

 

see the following chapter from configuration guide about failover config on the CLI

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa912/configuration/general/asa-912-general-config/ha-failover.html#ID-2107-00000060

 

and the corresponding chapter for ASDM 7.12

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa912/asdm712/general/asdm-712-general-config/ha-failover.html

 

I would recommend to use a dedicated link for stateful failover. Connect the two units directly as traffic is sent in clear text over the failover and stateful failover cables.

 

Hope to help

Giuseppe

 

0 Helpful

Go to solution
jkay18041
Level 3
Level 3
In response to Giuseppe Larosa

‎08-21-2019 07:04 AM

I've got this setup and the internet failover works, however I'm having issues getting the vpn failover to work. Are there any secrets to get the vpn site to site connections to failover easily?

 

Thank you for your help

0 Helpful
Customers Also Viewed These Support Documents