[c-nsp] ASA Failover without setting a Standby IP on an Interface

Jason Shearer jshearer at amedisys.com
Tue Jan 19 14:21:15 EST 2010


Correct.  Just for management.

Jason


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tom Lusty
Sent: Tuesday, January 19, 2010 12:04 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ASA Failover without setting a Standby IP on an Interface

Hey Everyone,

We're running a pair of ASAs on 8.2(1), and we only have one available IP in our external range, and we want to have 2 ASAs for redundancy.  So I wanted to know what the possible ramifications are for not setting a standby IP for an interface.  My understanding is that the Primary ASA's IP is used in all cases by both primary and secondary ASAs when active and it's only the mac address that will change if the secondary ASA happens to boot and become active before the primary.  Which is fairly trivial, and can be avoided with a bit of planning, so I'm not worried about this.

So my thinking is, that since all traffic is going to be directed to the Primary ASAs external IP, and whatever ASA happens to be active will be able communicate on this IP, then it should be fine.  And that the only thing I'm potentially losing is the ability to SSH/manage the secondary ASA from the external IP, which is completely fine in my situation.  Is there another case that I'm missing?

For clarification the ASAs are connected with a dedicated crossover cable for failover and state information replication.  So if an interface were to fail, the other ASA should (in theory) be notified via the failover connection.

Is this sound?  Did I miss anything?
Thanks!
-Tom Lusty

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***


More information about the cisco-nsp mailing list