[c-nsp] ASA Failover without setting a Standby IP on an Interface

David White, Jr. (dwhitejr) dwhitejr at cisco.com
Tue Jan 19 14:51:38 EST 2010 

Hi Tom,

If a standby IP is not assigned to the Outside interface, then that
interface will not be able to participate in failover monitoring. 
Meaning, the two ASAs will not be able to exchange 'hellos' out that
interface (as the Active unit will not have an IP to send the hello to
on the Standby).  Thus, if connectivity is lost between the two peers -
due to something other than an ASA interface failure - then failover
will not be able to react to it.

If you are only concerned with the ASA's outside interface failing, then
this will still work (assuming the interface failure triggers the
interface to transition to a down state).  As the interface state will
be exchanged with the peer on the failover LAN link.

If you choose to configure the ASAs this way, I would also suggest you
manually disable failover monitoring on the outside interface using the
command:

   no monitor-interface outside

Sincerely,

David.

Tom Lusty wrote:
> Hey Everyone,
>
> We're running a pair of ASAs on 8.2(1), and we only have one available IP in our external range, and we want to have 2 ASAs for redundancy.  So I wanted to know what the possible ramifications are for not setting a standby IP for an interface.  My understanding is that the Primary ASA's IP is used in all cases by both primary and secondary ASAs when active and it's only the mac address that will change if the secondary ASA happens to boot and become active before the primary.  Which is fairly trivial, and can be avoided with a bit of planning, so I'm not worried about this.
>
> So my thinking is, that since all traffic is going to be directed to the Primary ASAs external IP, and whatever ASA happens to be active will be able communicate on this IP, then it should be fine.  And that the only thing I'm potentially losing is the ability to SSH/manage the secondary ASA from the external IP, which is completely fine in my situation.  Is there another case that I'm missing?
>
> For clarification the ASAs are connected with a dedicated crossover cable for failover and state information replication.  So if an interface were to fail, the other ASA should (in theory) be notified via the failover connection.
>
> Is this sound?  Did I miss anything?
> Thanks!
> -Tom Lusty
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list