Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Change failover IP adresses on ASA

Reply
Thread Tools

Change failover IP adresses on ASA

 
 
Mark Huizer
Guest
Posts: n/a
 
      11-10-2009
Hello,

I was wondering about the effects of changing the failover IP address on
a set of ASA's in failover mode.

The reason why I want to change it: I want to run RIP between the ASA's
and a set of VPN concentrators, and if I add the network config
(10.0.0.0, too bad I can't use subnets there even with RIPv2), I get the
error that you can't run RIP on the failover interface, so I want to
move that interface out of 10.0.0.0/8.

Now, if no one objects to that reasoning , I am wondering how I can
best do this, since the 2 ASA's are 60km apart, and unfortunately I
don't have 2 spare devices available to test it on.

So... which of the 3 scenario's would be the right one and (that would
be really nice) tested by someone in real life:

1. run "failover interface ip failover 172.31.1.1 255.255.255.0 standby
172.31.1.2" on the active ASA, config is sent to other ASA, write mem,
all is happy

2. run "failover interface ip failover 172.31.1.1 255.255.255.0 standby
172.31.1.2" on both ASA's at the same time, failover starts running on
the new IP addresses, write mem, all is happy

3. have someone connected at each ASA, disconnect the standby one,
connect serial console, run the command there, run it on the online ASA,
reconnect the standby on, all are happy except for the person who has to
drive back

Thanks in advance,

Greetings

Mark
 
Reply With Quote
 
 
 
 
Techno_Guy
Guest
Posts: n/a
 
      11-11-2009
On Nov 10, 4:58*am, Mark Huizer <xaa
(E-Mail Removed)> wrote:
> Hello,
>
> I was wondering about the effects of changing the failover IP address on
> a set of ASA's in failover mode.
>
> The reason why I want to change it: I want to run RIP between the ASA's
> and a set of VPN concentrators, and if I add the network config
> (10.0.0.0, too bad I can't use subnets there even with RIPv2), I get the
> error that you can't run RIP on the failover interface, so I want to
> move that interface out of 10.0.0.0/8.
>
> Now, if no one objects to that reasoning , I am wondering how I can
> best do this, since the 2 ASA's are 60km apart, and unfortunately I
> don't have 2 spare devices available to test it on.
>
> So... which of the 3 scenario's would be the right one and (that would
> be really nice) tested by someone in real life:
>
> 1. run "failover interface ip failover 172.31.1.1 255.255.255.0 standby
> 172.31.1.2" on the active ASA, config is sent to other ASA, write mem,
> all is happy
>
> 2. run "failover interface ip failover 172.31.1.1 255.255.255.0 standby
> 172.31.1.2" on both ASA's at the same time, failover starts running on
> the new IP addresses, write mem, all is happy
>
> 3. have someone connected at each ASA, disconnect the standby one,
> connect serial console, run the command there, run it on the online ASA,
> reconnect the standby on, all are happy except for the person who has to
> drive back
>
> Thanks in advance,
>
> Greetings
>
> Mark


1. Why do you want to run RIP? It is extremely chatty, No support for
VLSM, only does classfull routing, and your limitied by hop count as
to how many hops it will remember. I would run OSPF instead. OSPF is
not vendor specific so you can run other non-cisco devices in your
network, it will route VLSM, along with route summarization.

Are your ASA's configured for Active/Active or Active/Standby?

http://www.cisco.com/application/pdf...ransparent.pdf
http://www.cisco.com/en/US/products/...807dac5f.shtml

Here are my .02. Are you changing the interface address you have
configured also or just the failover standby address? So long as your
only changing the failover ip then just ssh into the interface ip
address of the secondary pix and then make the failover changes on the
standy unit. then save the changes. the standy unit will still be up
and running, it just wont be an active failover partner at this point.
Now make your changes on the primary unit.

 
Reply With Quote
 
 
 
 
Mark Huizer
Guest
Posts: n/a
 
      11-11-2009
The wise Techno_Guy enlightened me with:
>
> 1. Why do you want to run RIP? It is extremely chatty, No support for
> VLSM, only does classfull routing, and your limitied by hop count as
> to how many hops it will remember. I would run OSPF instead. OSPF is
> not vendor specific so you can run other non-cisco devices in your
> network, it will route VLSM, along with route summarization.


Actually, RIPv2 is classless, and hopcount is good enough for what I
want to achieve.
But to answer your (valid) questions: on the VPN concentrator you can do
RIP and OSPF. As I understand it (please correct me if I am wrong), I
can use only RIP to distribute routes to the outside world. OSPF is
available, but only to get routes from the outside world into your
VPN Concentrators. I have 2 of them in a VPN Cluster, but I need a way
on the backside (private interface) to communicate it to the ASA.
Currently we use static routes, but of course that breaks when one of
the concentrators is down.

> Are your ASA's configured for Active/Active or Active/Standby?


Active/Standby

> http://www.cisco.com/application/pdf...ransparent.pdf
> http://www.cisco.com/en/US/products/...807dac5f.shtml
>
> Here are my .02. Are you changing the interface address you have
> configured also or just the failover standby address? So long as your
> only changing the failover ip then just ssh into the interface ip
> address of the secondary pix and then make the failover changes on the
> standy unit. then save the changes. the standy unit will still be up
> and running, it just wont be an active failover partner at this point.
> Now make your changes on the primary unit.


OK, so I could make it a two-step action. Actually I'm changing both
addresses (both addresses in the failover statement will change).
Overall it's not that bad if the secondary unit is not capable of
failover for a few minutes, as long as I can still reach it on the
management interface, and it doesn't start playing the active unit on
its side of the network

Maybe I'll go for the semi-smart solution. Wait for some maintenance we
have to do anyway, soonish. When someone is there and we announced it
anyway, I can do the maintenance, see if it works as intended and if
not, have someone around who can pull a cable and do stuff on the
console.

Mark
 
Reply With Quote
 
Techno_Guy
Guest
Posts: n/a
 
      11-12-2009
On Nov 11, 10:20*am, Mark Huizer <xaa
(E-Mail Removed)> wrote:
> The wise Techno_Guy enlightened me with:
>
>
>
> > 1. Why do you want to run RIP? It is extremely chatty, No support for
> > VLSM, only does classfull routing, and your limitied by hop count as
> > to how many hops it will remember. I would run OSPF instead. OSPF is
> > not vendor specific so you can run other non-cisco devices in your
> > network, it will route VLSM, along with route summarization.

>
> Actually, RIPv2 is classless, and hopcount is good enough for what I
> want to achieve.
> But to answer your (valid) questions: on the VPN concentrator you can do
> RIP and OSPF. As I understand it (please correct me if I am wrong), I
> can use only RIP to distribute routes to the outside world. OSPF is
> available, but only to get routes from the outside world into your
> VPN Concentrators. I have 2 of them in a VPN Cluster, but I need a way
> on the backside (private interface) to communicate it to the ASA.
> Currently we use static routes, but of course that breaks when one of
> the concentrators is down.
>
> > Are your ASA's configured for Active/Active or Active/Standby?

>
> Active/Standby
>
> >http://www.cisco.com/application/pdf...tive-failover-...
> >http://www.cisco.com/en/US/products/...roducts_config...

>
> > Here are my .02. Are you changing the interface address you have
> > configured also or just the failover standby address? So long as your
> > only changing the failover ip then just ssh into the interface ip
> > address of the secondary pix and then make the failover changes on the
> > standy unit. then save the changes. the standy unit will still be up
> > and running, it just wont be an active failover partner at this point.
> > Now make your changes on the primary unit.

>
> OK, so I could make it a two-step action. Actually I'm changing both
> addresses (both addresses in the failover statement will change).
> Overall it's not that bad if the secondary unit is not capable of
> failover for a few minutes, as long as I can still reach it on the
> management interface, and it doesn't start playing the active unit on
> its side of the network
>
> Maybe I'll go for the semi-smart solution. Wait for some maintenance we
> have to do anyway, soonish. When someone is there and we announced it
> anyway, I can do the maintenance, see if it works as intended and if
> not, have someone around who can pull a cable and do stuff on the
> console.
>
> Mark


http://www.cisco.com/en/US/products/...80094a6b.shtml

Check out reverse route injection. I think that is what your looking
for.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
cisco ASA/PIX failover and VPN, failover IP access problem Pit Cisco 0 08-27-2008 03:34 PM
asa 5500 failover (active/standby) public IP address change UBEST Cisco 0 04-24-2007 11:17 AM
ASA failover failure mikesr@email.cz Cisco 0 02-13-2007 11:37 AM
DMZ Switch Problems on ASA Failover Darren Green Cisco 3 10-05-2006 06:32 PM
Stateful NAT failover = yes. Stateful CBAC failover = ???? Alec Waters Cisco 0 06-09-2004 01:38 PM



Advertisments