topic Re: Manage Interface Configuration Reservation in Active/Standy - ASA in Network Security

Manage Interface Configuration Reservation in Active/Standy - ASA

4kalak4 — Wed, 26 Apr 2023 11:30:30 GMT

Hi all,

I have two ASA FirePower-2140 in Active/Standby Configuration.

I need to configure one IP addres for management in FirePower-1 and other distinct IP address for management in FirePower-2 because I need to access both devices independently via HTTP and SSH. So, I need this configuration:

FirePower-2140-ASA-1# show running-config interface management 1/1
!
interface Management1/1
management-only
nameif management
security-level 100
ip address 10.140.7.65 255.255.255.128

FirePower-2140-ASA-2# show running-config interface management 1/1
!
interface Management1/1
management-only
nameif management
security-level 100
ip address 10.140.7.165 255.255.255.128
FirePower-2140-ASA#

However, due to config syncronization from Active to Standby device, management IP address for FirePower-2140-ASA-2 change to management IP address configured in FirePower-2140-ASA-1. In addition, is not possible to configure a standby IP addres for managemente interface because both IPs are in different networks.

Is there any way to avoid this issue?

Re: Manage Interface Configuration Reservation in Active/Standy - ASA

Marius Gunnerud — Wed, 26 Apr 2023 11:37:39 GMT

Why do you want to do this? What is your end goal by having a management IP in a different subnet on the standby unit? When using the same interface there is no way around it. Also, you should not be managing the ASAs separately when they are in HA configuration as this will put the configuration out of sync and cause issues.

Optionally, you could configure a second interface with an IP and standby IP in a different subnet and manage the ASA via this interface. This is not recommended though.

Re: Manage Interface Configuration Reservation in Active/Standy - ASA

MHM Cisco World — Wed, 26 Apr 2023 11:47:34 GMT

Different subnet for management interface? Why you config it in this way?

Re: Manage Interface Configuration Reservation in Active/Standy - ASA

4kalak4 — Wed, 26 Apr 2023 11:55:00 GMT

Hi Marius,

The main reason is due to network design limitation. We have two different management networks, one in a data center (10.140.7.0/25) and the other (10.140.7.128/25) in a different data center location.

Devices in both networks can comunicate one with other via different gateways. For example, gateway for 10.140.7.0/25 network is 10.140.7.1 and gateway for 10.140.7.128/25 is 10.140.7.129. So, as you can conclude, is necessary that FirePower-1 have configured 10.140.7.1 for gateway management and FirePower-2 have configured 10.140.7.129 for gateway management.

Re: Manage Interface Configuration Reservation in Active/Standy - ASA

Marius Gunnerud — Wed, 26 Apr 2023 12:11:03 GMT

If you do not have L2 connectivity between the two sites then an ASA active/standby HA setup is probably not the way you should go. Could you describe your network in more detail and what your end goal or expected result is?

Is one DC active and the other a disaster recovery site?
if both are active does one site use the other for access to all other network resources / users?
Do you have the ability to set up a dedicated L2 connection for the ASA HA...if this is an absolute requirement?

Re: Manage Interface Configuration Reservation in Active/Standy - ASA

MHM Cisco World — Wed, 26 Apr 2023 12:17:40 GMT

I have idea here it can work for you

Use two interface one for each subnet, so even if the config is sync you can reach the Asa that have right subnet.

Re: Manage Interface Configuration Reservation in Active/Standy - ASA

4kalak4 — Wed, 26 Apr 2023 12:36:27 GMT

Hi,

Yes, It could be a possible solution. Not elegant but functional.

In addition, in my network design, I only have two links for data; one for inside and the other for outside. So, I think it doesn't make sense configure monitored managed interfaces for failover. For example, if management interface in FirePower-1 comes down is not neccesary to make failover to the standby device if data interfaces are up.

What is your oppinion about it?

Re: Manage Interface Configuration Reservation in Active/Standy - ASA

MHM Cisco World — Wed, 26 Apr 2023 12:39:30 GMT

Sorry I was must mention that you need to not monitor both mgmt interfaces.

Thanks

MHM