ASA Firewall Active-Standby interface configuration

ASA Firewall Active-Standby interface configuration

Question:
Hello. I have just implemented an ASA Active/Standby (A/S) failover configuration, and the config has successfully transferred to the standby unit.
However, I am not sure “best practice” on how to handle the management interface configuration.
Issue: Once the config transferred to the standby unit, the mgt interface now has the same IP address as the active unit mgt interface. What is the best method for maintaining separate IP addresses on these interfaces for remote manangement purposes without compromising the configs on each ASA (and ending the annoying console messages on the active unit too).

Answer:
The way you do this is to configure the standby IP addresses for all of your interfaces on the Active unit. This is done with the ‘standby’ keyword. See example below:
ASA-Active-Unit(config-if)# ip address 192.168.0.1 255.255.255.0 standby 192.168.0.2
The address used by the Standby interface must be in the same subnet as the Active address and cannot be in use anywhere else on your network.
Once you configure this on the Active unit, the configuration will be replicated down to the Standby unit so the changes will take affect (or you can use the ‘write standby’ command on the Active unit).
After the changes take affect, you can issue the ‘show failover’ command to see that the Active and Standby interfaces have different IP addresses.