This topic is to discuss the following lesson:
Why do I need to assign a standby IP to inside and outside interfaces ? And will the secondary ASA copy all of the running config from the primary ASA once fail over is enabled ? as on my secondary ASA i have different interface configuration due to me having stacked switches ?
You can make failover work without the standby IP address, the only issue is that you will be unable to monitor the interface of the second ASA.
The standby ASA will synchronize its configuration with the active ASA and it won’t do anything until your active ASA fails.
When i configure the primary asa to monitor inside interface the secondry asa says failed
when I un monitor the inside interface it shows as standby state
any ideas ??
Are there any differences between the two ASAs? Model, interfaces, image?
no both the exact same models ,the error only comes when I configure the active asa to monitor the inside and outside interfaces
as soon as I remove the command the asa assume active / stand by roles with no issues
This host: Primary - Active
Other host: Secondary - Standby Ready - before interface monitoring
This host: Primary - Active
Other host: Secondary - Failed - after interface monitoring
If you post the (relevant) portions of your configuration in a forum topic then I can take a look if you want. Which exact error do you get?
the set up is like this -
2 stacked 3850’s which are connected to ASA’s running active/standby . I have attached 2 inside interfaces via eigrp and 2 outside interfaces connected by " route outside ****** "
is there any need for the standby firewall to have physical connections to the switch stack ? if so will they need IP’s assigned to them ?
Also when the standby ASA takes over there are no routes in the routing table ?
also I have configured the inside interface on the active ASA with the standby IP of the interface which its connected to on the switch stack
failover lan unit primary / secondry failover lan interface GigabitEthernet 0/6 failover link FAILOVER GigabitEthernet 0/6 failover interface ip FAILOVER 126.x x x 255.255.255.252 standby 126.x x x failover monitor interface inside ERROR before and after interface monitoring - This host: Primary – Active Other host: Secondary – Standby Ready – before interface monitoring This host: Primary – Active Other host: Secondary – Failed – after interface monitoring
Thanks Rene , appreciate your time
The interfaces of both your ASAs should be connected to the same segment. For example, the INSIDE interface of ASA1 and ASA2 has to be in the same VLAN and the same thing applies to the OUTSIDE interface.
You don’t have to configure an IP address on ASA2 but you do have to configure the standby IP address on ASA1:
ip address 192.168.1.254 255.255.255.0 standby 192.168.1.253
When the standby ASA takes over, it will still have any routes (static and learned)
Really Nice explanation !
If ASA1 fails , does ASA2 gets interfaces IP addresses too as we do not have interfaces IP assigned currently on ASA2? What is the role of secondary IP assigned on active ASA?
When ASA1 fails, ASA2 will take over and will use the IP addresses and MAC addresses of the failed unit. Traffic will continue with interruptions.
The standby IP address is used for monitoring and management. Without an IP, how will you access the standby ASA if you want to upgrade its ASA image or something? The standby ASA will also be unable to query the active ASA on the interfaces since it doesn’t have an IP address.
can you explain active -active failover in multi context ?
I will, I’ll cover this in another lesson.
What will be Gateway ip of R1 & R2 ?? Is there running VRRP to INSIDE/OUTSIDE ?? Little bit confused
With the active/standby failover setup, we don’t use VRRP. R1 and R2 will use the IP addresses that are used on ASA1. When ASA1 fails, ASA2 will take over and will use the MAC/IP addresses of ASA1.
I’d like to know ASA cluster and inter context communication. If I have a chance, please let me know for this configuration and technology, Because some of environment, cluster is okay.
Please explain to us for asa multi context and inter communication for two context. How to go context 1 network to another context. How many method we can use for it communication.
Thanks for you kind supports.
Multiple Context for the ASA is a good topic, I’ll add this to my list. Once it’s done, I’ll let you know.