[c-nsp] ASA Failover without setting a Standby IP on an Interface
Tom Lusty
TLusty at csnstores.com
Tue Jan 19 13:04:18 EST 2010
Hey Everyone,
We're running a pair of ASAs on 8.2(1), and we only have one available IP in our external range, and we want to have 2 ASAs for redundancy. So I wanted to know what the possible ramifications are for not setting a standby IP for an interface. My understanding is that the Primary ASA's IP is used in all cases by both primary and secondary ASAs when active and it's only the mac address that will change if the secondary ASA happens to boot and become active before the primary. Which is fairly trivial, and can be avoided with a bit of planning, so I'm not worried about this.
So my thinking is, that since all traffic is going to be directed to the Primary ASAs external IP, and whatever ASA happens to be active will be able communicate on this IP, then it should be fine. And that the only thing I'm potentially losing is the ability to SSH/manage the secondary ASA from the external IP, which is completely fine in my situation. Is there another case that I'm missing?
For clarification the ASAs are connected with a dedicated crossover cable for failover and state information replication. So if an interface were to fail, the other ASA should (in theory) be notified via the failover connection.
Is this sound? Did I miss anything?
Thanks!
-Tom Lusty
More information about the cisco-nsp
mailing list