This topic is to discuss the following lesson:
Hi
Why do I need to assign a standby IP to inside and outside interfaces ? And will the secondary ASA copy all of the running config from the primary ASA once fail over is enabled ? as on my secondary ASA i have different interface configuration due to me having stacked switches ?
Hi Aaron,
You can make failover work without the standby IP address, the only issue is that you will be unable to monitor the interface of the second ASA.
The standby ASA will synchronize its configuration with the active ASA and it won’t do anything until your active ASA fails.
Rene
hi
When i configure the primary asa to monitor inside interface the secondry asa says failed
when I un monitor the inside interface it shows as standby state
any ideas ??
Hi Aaron,
Are there any differences between the two ASAs? Model, interfaces, image?
Rene
hi
no both the exact same models ,the error only comes when I configure the active asa to monitor the inside and outside interfaces
as soon as I remove the command the asa assume active / stand by roles with no issues
This host: Primary - Active
Other host: Secondary - Standby Ready - before interface monitoring
This host: Primary - Active
Other host: Secondary - Failed - after interface monitoring
Hi Aaron,
If you post the (relevant) portions of your configuration in a forum topic then I can take a look if you want. Which exact error do you get?
Rene
Rene
the set up is like this -
2 stacked 3850’s which are connected to ASA’s running active/standby . I have attached 2 inside interfaces via eigrp and 2 outside interfaces connected by " route outside ****** "
is there any need for the standby firewall to have physical connections to the switch stack ? if so will they need IP’s assigned to them ?
Also when the standby ASA takes over there are no routes in the routing table ?
also I have configured the inside interface on the active ASA with the standby IP of the interface which its connected to on the switch stack
failover lan unit primary / secondry
failover lan interface GigabitEthernet 0/6
failover link FAILOVER GigabitEthernet 0/6
failover interface ip FAILOVER 126.x x x 255.255.255.252 standby 126.x x x
failover
monitor interface inside
ERROR before and after interface monitoring -
This host: Primary – Active
Other host: Secondary – Standby Ready – before interface monitoring
This host: Primary – Active
Other host: Secondary – Failed – after interface monitoring
Thanks Rene , appreciate your time
Hi Aaron,
The interfaces of both your ASAs should be connected to the same segment. For example, the INSIDE interface of ASA1 and ASA2 has to be in the same VLAN and the same thing applies to the OUTSIDE interface.
You don’t have to configure an IP address on ASA2 but you do have to configure the standby IP address on ASA1:
ASA1#
interface Ethernet0/0
nameif INSIDE
security-level 100
ip address 192.168.1.254 255.255.255.0 standby 192.168.1.253
When the standby ASA takes over, it will still have any routes (static and learned)
Rene
Really Nice explanation !
If ASA1 fails , does ASA2 gets interfaces IP addresses too as we do not have interfaces IP assigned currently on ASA2? What is the role of secondary IP assigned on active ASA?
Thanks!
Hi Mohan,
When ASA1 fails, ASA2 will take over and will use the IP addresses and MAC addresses of the failed unit. Traffic will continue with interruptions.
The standby IP address is used for monitoring and management. Without an IP, how will you access the standby ASA if you want to upgrade its ASA image or something? The standby ASA will also be unable to query the active ASA on the interfaces since it doesn’t have an IP address.
Rene
Hi,
can you explain active -active failover in multi context ?
Thanks
Hi Sims,
I will, I’ll cover this in another lesson.
Rene
Hi Rene,
What will be Gateway ip of R1 & R2 ?? Is there running VRRP to INSIDE/OUTSIDE ?? Little bit confused
Hi Mohammad,
With the active/standby failover setup, we don’t use VRRP. R1 and R2 will use the IP addresses that are used on ASA1. When ASA1 fails, ASA2 will take over and will use the MAC/IP addresses of ASA1.
Rene
Hi Rene,
I’d like to know ASA cluster and inter context communication. If I have a chance, please let me know for this configuration and technology, Because some of environment, cluster is okay.
Hi Rene,
Please explain to us for asa multi context and inter communication for two context. How to go context 1 network to another context. How many method we can use for it communication.
Thanks for you kind supports.
Regards,
Hi Mark,
Multiple Context for the ASA is a good topic, I’ll add this to my list. Once it’s done, I’ll let you know.
Rene