[c-nsp] ASA failover - possible with a /30 ?
David White, Jr. (dwhitejr)
dwhitejr at cisco.com
Tue Jun 7 09:22:58 EDT 2011
Hi Jeff,
The Standby IP is used to monitor both interfaces (the interface on the
Active and the one on the Standby). Failover will work without a
standby IP, but the ASA will not be able to detect failure conditions on
that interface, unless the failure condition results in a link down. If
a link down condition occurs, then no testing is needed and this
information is sent over the failover control link.
A better solution is to make the interface a trunk link. Add 2 VLANs
(one for the customer, and one 'dummy' VLAN). Enable failover interface
monitoring on the dummy VLAN, and this can be used to both validate the
interface and the path. On the customer's VLAN, you don't assign a
standby IP and disable interface monitoring.
Hope it helps,
David.
Jeff Kell wrote:
> We are trying to move a customer behind our firewall (an active/active
> pair of ASAs). They are currently terminated on our edge via a /30
> point-to-point link, and they would prefer to keep their addressing the
> same.
>
> The other inbound links to these ASAs are setup for failover, with the
> "failover" and "standby" addresses in the failover configuration.
>
> Is it possible to have this link "failover" without a configured standby
> address? or will this interface remain down if the primary goes down?
> Is the "standby" address only used for monitoring?
>
> Jeff
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list