ASA Active / Standby, can I recycle the inside interface of the Standby

So I got myself a couple of 5525x ASAs,

Configured inside and outside interfaces, the usual stuff.

Connected them together with xovers and set up failover. All fine,.

So now, the secondary is a duplicate of the primary. agreed?

Does that mean I can reuse the IP address I originally set to the inside interface of the secondary? or should I keep it free and available. I'm not short on addresses by the way. I'm just curious.

Many thanks:)

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Jason0352

I'm no security guru, but the way we have it setup is the secondary inside int has it's own IP assigned. In an event of a failover, the secondary assumes the primarys inside IP and traffic flows without incident.

This host: Secondary - Standby Ready
Active time: 647 (sec)
slot 0: ASA5540 hw/sw rev (2.0/8.2(5)) status (Up Sys)
Interface outside (X.X.X.X): Normal
Interface inside (10.10.1.5): Normal
slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(6)E3) status (Up/Up)
IPS, 6.0(6)E3, Up
Other host: Primary - Active
Active time: 8294562 (sec)
slot 0: ASA5540 hw/sw rev (2.0/8.2(5)) status (Up Sys)
Interface outside (X.X.X.X): Normal
Interface inside (10.10.1.6): Normal
slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(6)E4) status (Up/Up)
IPS, 6.0(6)E4, Up

kalebksp

The configuration should be automatically sync'd for a single context, assuming the failover is setup properly. In other words the address you originally specified on the standby ASA should have been overwritten. If you specified standby addresses on the primary with 'ip address x.x.x.x x.x.x.x standby x.x.x.x' that IP can be used to connect to the standby unit for management purposes.

If the standby unit becomes active the standby address will be assigned to the device that was previously active.

It's best to assign a standby address because it's also used to detect failures (if no traffic is received on the primary's interface but there is traffic being received on the secondary's a failover will occur). Though it is not absolutely necessary, sometimes I don't when a spare external IP is not available.

Futura

kalebksp wrote: »

In other words the address you originally specified on the standby ASA should have been overwritten.

Super, Many thanks.