https://community.cisco.com/t5/network-security/monitor-interface-in-asa-context/m-p/4956446#M1105706 <P><EM><STRONG>my question is do i need to apply this config on all context sub-interfaces?</STRONG></EM></P> <P>This depends on if you want a failover to occur if there is a protocol failure on any of the sub-interfaces.&nbsp; Otherwise you would only need the command on the interfaces you want to monitor and trigger in a failure situation, (your most important interfaces).</P> <P><EM><STRONG>will it cause failover flapping issue when one or two sub-interfaces in a specific context had a problem?</STRONG></EM></P> <P>Not entirely sure what you mean by this, but once a failover occurs, the previously active device will not become active again unless you manually failover or there is another failure situation on the current active device.</P> <P>Also, if you have not done so already, it is a good practice to configure standby IPs on the interfaces for situations where it is the failover link that has failed.</P> Thu, 09 Nov 2023 14:27:01 GMT Marius Gunnerud 2023-11-09T14:27:01Z https://community.cisco.com/t5/network-security/monitor-interface-in-asa-context/m-p/4956307#M1105700 <P>hi,</P><P>i'm configuring a new FPR 3100 with ASA OS.</P><P>it's an ASA in multiple context mode and was doing some failover test and ping to the internet.</P><P>it didn't failover to secondary after shutdown trunk switch port facing the ASA FW LAN and WAN. it only worked after configuring the 'monitor-interface' on the LAN and WAN.</P><P>my question is do i need to apply this config on all context sub-interfaces?</P><P>will it cause failover flapping issue when one or two sub-interfaces in a specific context had a problem?</P><P>asa/pri/act/TEST# show interface ip brief<BR />Interface IP-Address OK? Method Status Protocol<BR />Port-channel2.199 172.16.4.5 YES manual up up&nbsp;&nbsp;&nbsp; &lt;&lt;&lt; LAN/inside: PORT-CHANNEL TO TRUNK SWITCH PORT<BR />Port-channel2.999 178.2.10.1 YES manual up up&nbsp;&nbsp; &lt;&lt;&lt; WAN/outside: PORT-CHANNEL TO TRUNK SWITCH PORT</P><P>asa/pri/act/TEST# sh run | i monitor&nbsp;&nbsp;&nbsp; &lt;&lt;&lt; INTERNET EDGE FW<BR />no monitor-interface TEST_VRF&nbsp;&nbsp;&nbsp; &lt;&lt;&lt;&lt; LAN/inside<BR />no monitor-interface INTERNET&nbsp;&nbsp;&nbsp; &lt;&lt;&lt; WAN/outside</P><P>Router#ping vrf TEST_VRF 8.8.8.8 source 172.16.4.1 repeat 1000&nbsp;&nbsp; &lt;&lt;&lt; PING FROM DOWNSTREAM ROUTER, NO FAILOVER<BR />Type escape sequence to abort.<BR />Sending 1000, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:<BR />Packet sent with a source address of 172.16.41<BR />!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<BR />!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!................................<BR />................</P><P><FONT color="#FF0000">asa/pri/act/TEST(config)# monitor-interface TEST_VRF</FONT><BR /><FONT color="#FF0000">asa/pri/act/TEST(config)# monitor-interface INTERNET</FONT></P><P>Router#ping vrf TEST_VRF 8.8.8.8 source 172.16.4.1 repeat 1000&nbsp;&nbsp;&nbsp; &lt;&lt;&lt; FAILOVER TO SECONDARY FW WORKED<BR />Type escape sequence to abort.<BR />Sending 1000, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:<BR />Packet sent with a source address of 172.16.4.1<BR />!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<BR />!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<BR />!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<BR />!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<BR />!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<BR />!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<BR />!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<BR />!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<BR />!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<BR />!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<BR />!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<BR />!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<BR />!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<BR />!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<BR />!!!!!!!!!!!!!!!!!!!!<BR />Success rate is 99 percent (999/1000), round-trip min/avg/max = 15/15/21 ms</P><P>&nbsp;</P> Thu, 09 Nov 2023 09:11:08 GMT https://community.cisco.com/t5/network-security/monitor-interface-in-asa-context/m-p/4956307#M1105700 johnlloyd_13 2023-11-09T09:11:08Z https://community.cisco.com/t5/network-security/monitor-interface-in-asa-context/m-p/4956446#M1105706 <P><EM><STRONG>my question is do i need to apply this config on all context sub-interfaces?</STRONG></EM></P> <P>This depends on if you want a failover to occur if there is a protocol failure on any of the sub-interfaces.&nbsp; Otherwise you would only need the command on the interfaces you want to monitor and trigger in a failure situation, (your most important interfaces).</P> <P><EM><STRONG>will it cause failover flapping issue when one or two sub-interfaces in a specific context had a problem?</STRONG></EM></P> <P>Not entirely sure what you mean by this, but once a failover occurs, the previously active device will not become active again unless you manually failover or there is another failure situation on the current active device.</P> <P>Also, if you have not done so already, it is a good practice to configure standby IPs on the interfaces for situations where it is the failover link that has failed.</P> Thu, 09 Nov 2023 14:27:01 GMT https://community.cisco.com/t5/network-security/monitor-interface-in-asa-context/m-p/4956446#M1105706 Marius Gunnerud 2023-11-09T14:27:01Z https://community.cisco.com/t5/network-security/monitor-interface-in-asa-context/m-p/4956804#M1105717 <P>hi,</P><P>i'll probably just configure monitor on the "INTERNET" sub-interface/nameif since there's a lot of "inside" subif.</P><P>&nbsp;</P> Fri, 10 Nov 2023 05:42:53 GMT https://community.cisco.com/t5/network-security/monitor-interface-in-asa-context/m-p/4956804#M1105717 johnlloyd_13 2023-11-10T05:42:53Z