topic ASA Active-Standby 'monitor-interface' in Network Security

ASA Active-Standby 'monitor-interface'

johnlloyd_13 — Tue, 12 Mar 2019 07:40:15 GMT

hi,

i'm configuring 2x ASA for active/standby and just want to confirm the 'monitor-interface' command

we have context with an 'outside' (with a different public IP) and 'inside' with different allocated sub-interface.

i was thinking of configuring these lines for each context just to be sure:

monitor-interface inside

monitor-interface outside

my question, since we're creating sub-interface (different VLAN) for the 'inside' interface for each context, do we always have to configure the 'monitor-interface inside' for each new context?

is 'outside' interface enabled by default for the 'monitor-interface' command since the allocated outside interface is always the main interface g0/0?

ASA01/pri/act(config-pmap)# monitor-interface ?

configure mode commands/options:
service-module Enable service-card monitoring
Current available interface(s):
inside Name of interface GigabitEthernet0/1.400 <<< THIS IS FOR CONTEXT A; WHAT IF CONTEXT B HAS G0/1.401 FOR 'inside'?
outside Name of interface GigabitEthernet0/0

lastly, is it good practice to enable the 'failover replication http' command? will it cause heavy traffic on the failover links?

Hi

Henrik Grankvist — Tue, 26 Apr 2016 19:57:05 GMT

I don't understand what you mean with:

is 'outside' interface enabled by default for the 'monitor-interface' command since the allocated outside interface is always the main interface g0/0?

By default only the failover interface is monitored if I remember correctly.

The monitor-interface is done inside each context, so if you have interface "outside" on three different context you have to enable monitor-interface on all three contexts for interface "outside".

Whether it's good practice or not depends on your need at your company/customer. Is it critical that not even the http session has to reestablish? Well then HTTP replication is necessary. For most companies it is not necessary.

hi,

johnlloyd_13 — Wed, 27 Apr 2016 06:21:12 GMT

hi,

i saw this link and it mentioned about the said command.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/ha_failover.html

Configuring Interface Monitoring

By default, monitoring is enabled on all physical interfaces, or for the ASA 5505 and ASASM, all VLAN interfaces. You might want to exclude interfaces attached to less critical networks from affecting your failover policy.

Guidelines

You can monitor up to 250 interfaces on a unit (across all contexts in multiple context mode).
In multiple context mode, configure interfaces within each context.

do you 'hardcode' these commands in your environment? same goes for the http replication, do you configure this in your ASA?

Normally I only use

Henrik Grankvist — Sat, 30 Apr 2016 07:38:28 GMT

Normally I only use subinterfaces because it scales a lot better and yes I will configure http replication, it doesn't impact that much on the bandwidth.