Change failover IP adresses on ASA

Discussion in 'Cisco' started by Mark Huizer, Nov 10, 2009.

  Mark Huizer

    Mark Huizer Guest


    I was wondering about the effects of changing the failover IP address on
    a set of ASA's in failover mode.

    The reason why I want to change it: I want to run RIP between the ASA's
    and a set of VPN concentrators, and if I add the network config
    (, too bad I can't use subnets there even with RIPv2), I get the
    error that you can't run RIP on the failover interface, so I want to
    move that interface out of

    Now, if no one objects to that reasoning :), I am wondering how I can
    best do this, since the 2 ASA's are 60km apart, and unfortunately I
    don't have 2 spare devices available to test it on.

    So... which of the 3 scenario's would be the right one and (that would
    be really nice) tested by someone in real life:

    1. run "failover interface ip failover standby" on the active ASA, config is sent to other ASA, write mem,
    all is happy

    2. run "failover interface ip failover standby" on both ASA's at the same time, failover starts running on
    the new IP addresses, write mem, all is happy

    3. have someone connected at each ASA, disconnect the standby one,
    connect serial console, run the command there, run it on the online ASA,
    reconnect the standby on, all are happy except for the person who has to
    drive back :)

    Thanks in advance,


    Mark Huizer, Nov 10, 2009
  Mark Huizer

    Techno_Guy Guest

    1. Why do you want to run RIP? It is extremely chatty, No support for
    VLSM, only does classfull routing, and your limitied by hop count as
    to how many hops it will remember. I would run OSPF instead. OSPF is
    not vendor specific so you can run other non-cisco devices in your
    network, it will route VLSM, along with route summarization.

    Are your ASA's configured for Active/Active or Active/Standby?

    Here are my .02. Are you changing the interface address you have
    configured also or just the failover standby address? So long as your
    only changing the failover ip then just ssh into the interface ip
    address of the secondary pix and then make the failover changes on the
    standy unit. then save the changes. the standy unit will still be up
    and running, it just wont be an active failover partner at this point.
    Now make your changes on the primary unit.
    Techno_Guy, Nov 11, 2009
  Mark Huizer

    Mark Huizer Guest

    The wise Techno_Guy enlightened me with:
    Actually, RIPv2 is classless, and hopcount is good enough for what I
    want to achieve.
    But to answer your (valid) questions: on the VPN concentrator you can do
    RIP and OSPF. As I understand it (please correct me if I am wrong), I
    can use only RIP to distribute routes to the outside world. OSPF is
    available, but only to get routes from the outside world into your
    VPN Concentrators. I have 2 of them in a VPN Cluster, but I need a way
    on the backside (private interface) to communicate it to the ASA.
    Currently we use static routes, but of course that breaks when one of
    the concentrators is down.
    OK, so I could make it a two-step action. Actually I'm changing both
    addresses (both addresses in the failover statement will change).
    Overall it's not that bad if the secondary unit is not capable of
    failover for a few minutes, as long as I can still reach it on the
    management interface, and it doesn't start playing the active unit on
    its side of the network :)

    Maybe I'll go for the semi-smart solution. Wait for some maintenance we
    have to do anyway, soonish. When someone is there and we announced it
    anyway, I can do the maintenance, see if it works as intended and if
    not, have someone around who can pull a cable and do stuff on the

    Mark Huizer, Nov 11, 2009
  Mark Huizer

    Techno_Guy Guest

    Check out reverse route injection. I think that is what your looking
    Techno_Guy, Nov 12, 2009
