https://community.cisco.com/t5/network-security/management-interface-in-cluster-asa/m-p/2097263#M393363 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>You already did that with this command:</P><P></P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">interface Management0/0</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">management-only</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">nameif management</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">security-level 100</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;"><EM style="text-decoration: underline; "><STRONG>ip address 172.16.100.92 255.255.255.0 standby 172.16.100.91</STRONG></EM></P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">You can now access the secondary unit attempting to ssh,telnet or ASDM to 100.91 and the active one at 100.92</P><P></P><P></P><P>is that normal that I need to make a route map to exclude management network in ospf to avoid that the routing service publish the management network.</P><P></P><P>The managment-only command is really picky so you got to be really carefull when you use this interface </P><P></P><H2 style="background-color: #ffffff; border-collapse: collapse; font-size: 14.166666030883789px; list-style: none; margin: 14px 0em 7px -0.1in; color: #336666; font-family: Arial, Helvetica, sans-serif;">Management 0/0 Interface on the ASA 5500-X Series</H2><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;"><A name="wp1068467" rel="nofollow" style="border-collapse: collapse; list-style: none; outline: none; color: #2f6681;">#</A></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12.499999046325684px; list-style: none; margin: 1px 0em 6px; color: #000000; font-family: Arial, Helvetica, sans-serif;">You manage the ASA through the Management 0/0 interface on the ASA 5512-X through ASA 5555-X models. The Management 0/0 interface has the following characteristics:</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;"><A name="wp1068469" rel="nofollow" style="border-collapse: collapse; list-style: none; outline: none; color: #2f6681;">#</A></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12.499999046325684px; list-style: none; margin: 0px 0em 7px 0.25in; color: #000000; font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;">•<A href="http://www.cisco.com/en/US/i/templates/blank.gif" style="border-collapse: collapse; list-style: none; outline: none; color: #2f6681;"><IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" style="border-collapse: collapse; list-style: none;" width="19" /></A>No through traffic support</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;"><A name="wp1068470" rel="nofollow" style="border-collapse: collapse; list-style: none; outline: none; color: #2f6681;">#</A></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12.499999046325684px; list-style: none; margin: 0px 0em 7px 0.25in; color: #000000; font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;">•<A href="http://www.cisco.com/en/US/i/templates/blank.gif" style="border-collapse: collapse; list-style: none; outline: none; color: #2f6681;"><IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" style="border-collapse: collapse; list-style: none;" width="19" /></A>No subinterface support</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;"><A name="wp1068471" rel="nofollow" style="border-collapse: collapse; list-style: none; outline: none; color: #2f6681;">#</A></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12.499999046325684px; list-style: none; margin: 0px 0em 7px 0.25in; color: #000000; font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;">•<A href="http://www.cisco.com/en/US/i/templates/blank.gif" style="border-collapse: collapse; list-style: none; outline: none; color: #2f6681;"><IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" style="border-collapse: collapse; list-style: none;" width="19" /></A>No priority queue support</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;"><A name="wp1069159" rel="nofollow" style="border-collapse: collapse; list-style: none; outline: none; color: #2f6681;">#</A></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12.499999046325684px; list-style: none; margin: 0px 0em 7px 0.25in; color: #000000; font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;">•<A href="http://www.cisco.com/en/US/i/templates/blank.gif" style="border-collapse: collapse; list-style: none; outline: none; color: #2f6681;"><IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" style="border-collapse: collapse; list-style: none;" width="19" /></A>No multicast MAC support</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;"><A name="wp1069160" rel="nofollow" style="border-collapse: collapse; list-style: none; outline: none; color: #2f6681;">#</A></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12.499999046325684px; list-style: none; margin: 0px 0em 7px 0.25in; color: #000000; font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;">•<A href="http://www.cisco.com/en/US/i/templates/blank.gif" style="border-collapse: collapse; list-style: none; outline: none; color: #2f6681;"><IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" style="border-collapse: collapse; list-style: none;" width="19" /></A>The IPS SSP software module and the ASA share the Management 0/0 interface; however, each has its own separate MAC addresses and IP addresses. You must configure the IPS IP address within the IPS operating system. However, you configure physical characteristics (such as enabling the interface) on the ASA.</P><P> So as you can see there is no restriction for that so yes it is normal,</P><P></P><P>Regards,</P><P></P><P>Remember to rate all of the helpful posts</P></BODY></HTML> Wed, 09 Jan 2013 04:12:46 GMT Julio Carvajal 2013-01-09T04:12:46Z https://community.cisco.com/t5/network-security/management-interface-in-cluster-asa/m-p/2097259#M393358 <P>hello,</P><P></P><P>I have a misanderstand about management interface configuration in cluster. So I have a cluster asa 5515X with management interface. i Would like to be able to connect to any of the member of my cluster on management interface, so i would like to fix a different ip on management interface on each of my node ip 92 and 91. I think it is the only way to make asa firmware update to access local flash on each node.</P><P></P><P>my config</P><P></P><P>interface GigabitEthernet0/1</P><P> channel-group 1 mode active</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P>interface GigabitEthernet0/2</P><P> channel-group 1 mode active</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>!</P><P></P><P>interface GigabitEthernet0/5</P><P> description LAN/STATE Failover Interface</P><P></P><P></P><P>interface Management0/0</P><P> management-only</P><P> nameif management</P><P> security-level 100</P><P> ip address 172.16.100.92 255.255.255.0 standby 172.16.100.91</P><P> ospf cost 300</P><P> ospf priority 30</P><P> ospf network point-to-point non-broadcast</P><P></P><P>failover</P><P>failover lan unit primary</P><P>failover lan interface asa GigabitEthernet0/5</P><P>failover key *****</P><P>failover replication http</P><P>failover link asa GigabitEthernet0/5</P><P>failover interface ip asa 172.16.255.254 255.255.255.0 standby 172.16.255.253</P><P>no monitor-interface management</P><P>no monitor-interface Etherchannel</P><P></P><P></P><P>---------</P><P>As you can see and this is my second request I use OSpf for routing and with management-only on manangement0/0&nbsp; the ip adress is redistribute on OSPF or with command "management-only" you can make routing, but the network is steal redistribute on ospf routing. I make route-map to exclude this interface but I think it should not be the normal way to do it.</P><P></P><P>route-map RM-select permit 10</P><P> match interface Classe1 Backbone97 Backbone98</P><P>!</P><P>route-map RM-select deny 20</P><P> match interface management DMZ</P><P>!</P><P>!</P><P>router ospf 1</P><P> router-id 172.16.97.92</P><P> network 172.16.97.0 255.255.255.0 area 0</P><P> network 172.16.98.0 255.255.255.0 area 0</P><P> area 0</P><P> log-adj-changes detail</P><P> redistribute connected route-map RM-select</P><P></P><P>interface Port-channel1.10</P><P> vlan 10</P><P> nameif Classe1</P><P> security-level 10</P><P> ip address 192.168.10.254 255.255.255.0</P><P>!</P><P>interface Port-channel1.97</P><P> vlan 97</P><P> nameif Backbone97</P><P> security-level 10</P><P> ip address 172.16.97.92 255.255.255.0</P><P> ospf cost 10</P><P> ospf retransmit-interval 3</P><P> ospf priority 2</P><P> ospf hello-interval 1</P><P> ospf message-digest-key 1 md5 *****</P><P> ospf authentication message-digest</P><P>!</P><P>interface Port-channel1.98</P><P> vlan 98</P><P> nameif Backbone98</P><P> security-level 10</P><P> ip address 172.16.98.92 255.255.255.0</P><P> ospf cost 20</P><P> ospf retransmit-interval 3</P><P> ospf priority 2</P><P> ospf hello-interval 1</P><P> ospf message-digest-key 1 md5 *****</P><P> ospf authentication message-digest</P><P></P><P>------------------------</P><P>Sorry for my english and thank's for your help.</P> Tue, 12 Mar 2019 00:43:54 GMT https://community.cisco.com/t5/network-security/management-interface-in-cluster-asa/m-p/2097259#M393358 fcorfdir 2019-03-12T00:43:54Z https://community.cisco.com/t5/network-security/management-interface-in-cluster-asa/m-p/2097260#M393360 <HTML><HEAD></HEAD><BODY><P>no one have an idea ?</P></BODY></HTML> Tue, 08 Jan 2013 23:09:37 GMT https://community.cisco.com/t5/network-security/management-interface-in-cluster-asa/m-p/2097260#M393360 fcorfdir 2013-01-08T23:09:37Z https://community.cisco.com/t5/network-security/management-interface-in-cluster-asa/m-p/2097261#M393361 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Not sure I understand your query,</P><P></P><P>Is the problem that an OSPF neighorship is being created over the managment interface, is the problem that you cannot create an OSPF neigborship over this interface.</P><P></P><P>Are you supposed to filter this Subnet and is not being the case??? Let us know </P><P></P><P>Julio</P></BODY></HTML> Wed, 09 Jan 2013 00:58:00 GMT https://community.cisco.com/t5/network-security/management-interface-in-cluster-asa/m-p/2097261#M393361 Julio Carvajal 2013-01-09T00:58:00Z https://community.cisco.com/t5/network-security/management-interface-in-cluster-asa/m-p/2097262#M393362 <HTML><HEAD></HEAD><BODY><P>I have 2 query :</P><P></P><P>How can I configure a diferent management ip on each member of my cluster node in a cluster.</P><P></P><P>is that normal that I need to make a route map to exclude management network in ospf to avoid that the routing service publish the management network</P></BODY></HTML> Wed, 09 Jan 2013 02:55:19 GMT https://community.cisco.com/t5/network-security/management-interface-in-cluster-asa/m-p/2097262#M393362 fcorfdir 2013-01-09T02:55:19Z https://community.cisco.com/t5/network-security/management-interface-in-cluster-asa/m-p/2097263#M393363 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>You already did that with this command:</P><P></P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">interface Management0/0</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">management-only</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">nameif management</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">security-level 100</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;"><EM style="text-decoration: underline; "><STRONG>ip address 172.16.100.92 255.255.255.0 standby 172.16.100.91</STRONG></EM></P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">You can now access the secondary unit attempting to ssh,telnet or ASDM to 100.91 and the active one at 100.92</P><P></P><P></P><P>is that normal that I need to make a route map to exclude management network in ospf to avoid that the routing service publish the management network.</P><P></P><P>The managment-only command is really picky so you got to be really carefull when you use this interface </P><P></P><H2 style="background-color: #ffffff; border-collapse: collapse; font-size: 14.166666030883789px; list-style: none; margin: 14px 0em 7px -0.1in; color: #336666; font-family: Arial, Helvetica, sans-serif;">Management 0/0 Interface on the ASA 5500-X Series</H2><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;"><A name="wp1068467" rel="nofollow" style="border-collapse: collapse; list-style: none; outline: none; color: #2f6681;">#</A></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12.499999046325684px; list-style: none; margin: 1px 0em 6px; color: #000000; font-family: Arial, Helvetica, sans-serif;">You manage the ASA through the Management 0/0 interface on the ASA 5512-X through ASA 5555-X models. The Management 0/0 interface has the following characteristics:</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;"><A name="wp1068469" rel="nofollow" style="border-collapse: collapse; list-style: none; outline: none; color: #2f6681;">#</A></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12.499999046325684px; list-style: none; margin: 0px 0em 7px 0.25in; color: #000000; font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;">•<A href="http://www.cisco.com/en/US/i/templates/blank.gif" style="border-collapse: collapse; list-style: none; outline: none; color: #2f6681;"><IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" style="border-collapse: collapse; list-style: none;" width="19" /></A>No through traffic support</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;"><A name="wp1068470" rel="nofollow" style="border-collapse: collapse; list-style: none; outline: none; color: #2f6681;">#</A></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12.499999046325684px; list-style: none; margin: 0px 0em 7px 0.25in; color: #000000; font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;">•<A href="http://www.cisco.com/en/US/i/templates/blank.gif" style="border-collapse: collapse; list-style: none; outline: none; color: #2f6681;"><IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" style="border-collapse: collapse; list-style: none;" width="19" /></A>No subinterface support</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;"><A name="wp1068471" rel="nofollow" style="border-collapse: collapse; list-style: none; outline: none; color: #2f6681;">#</A></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12.499999046325684px; list-style: none; margin: 0px 0em 7px 0.25in; color: #000000; font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;">•<A href="http://www.cisco.com/en/US/i/templates/blank.gif" style="border-collapse: collapse; list-style: none; outline: none; color: #2f6681;"><IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" style="border-collapse: collapse; list-style: none;" width="19" /></A>No priority queue support</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;"><A name="wp1069159" rel="nofollow" style="border-collapse: collapse; list-style: none; outline: none; color: #2f6681;">#</A></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12.499999046325684px; list-style: none; margin: 0px 0em 7px 0.25in; color: #000000; font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;">•<A href="http://www.cisco.com/en/US/i/templates/blank.gif" style="border-collapse: collapse; list-style: none; outline: none; color: #2f6681;"><IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" style="border-collapse: collapse; list-style: none;" width="19" /></A>No multicast MAC support</P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;"><A name="wp1069160" rel="nofollow" style="border-collapse: collapse; list-style: none; outline: none; color: #2f6681;">#</A></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12.499999046325684px; list-style: none; margin: 0px 0em 7px 0.25in; color: #000000; font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;">•<A href="http://www.cisco.com/en/US/i/templates/blank.gif" style="border-collapse: collapse; list-style: none; outline: none; color: #2f6681;"><IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" style="border-collapse: collapse; list-style: none;" width="19" /></A>The IPS SSP software module and the ASA share the Management 0/0 interface; however, each has its own separate MAC addresses and IP addresses. You must configure the IPS IP address within the IPS operating system. However, you configure physical characteristics (such as enabling the interface) on the ASA.</P><P> So as you can see there is no restriction for that so yes it is normal,</P><P></P><P>Regards,</P><P></P><P>Remember to rate all of the helpful posts</P></BODY></HTML> Wed, 09 Jan 2013 04:12:46 GMT https://community.cisco.com/t5/network-security/management-interface-in-cluster-asa/m-p/2097263#M393363 Julio Carvajal 2013-01-09T04:12:46Z https://community.cisco.com/t5/network-security/management-interface-in-cluster-asa/m-p/2097264#M393364 <HTML><HEAD></HEAD><BODY><P>ok, thanks for the information about management-only. I hope that it could be less picky in next asa release.</P><P></P><P>I can connect in SSH on both management ip but I can't with ASDM. before I always test only with ASDM</P><P></P><P>user-identity default-domain LOCAL</P><P>aaa authentication ssh console LOCAL</P><P>http server enable</P><P>http 172.16.100.0 255.255.255.0 management</P><P></P><P>telnet timeout 5</P><P>ssh 172.16.100.0 255.255.255.0 management</P><P>ssh timeout 5</P><P>ssh version 2</P></BODY></HTML> Wed, 09 Jan 2013 06:22:36 GMT https://community.cisco.com/t5/network-security/management-interface-in-cluster-asa/m-p/2097264#M393364 fcorfdir 2013-01-09T06:22:36Z https://community.cisco.com/t5/network-security/management-interface-in-cluster-asa/m-p/2097265#M393365 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Do you get any specific errors while connecting via ASDM??</P><P></P><P>Add the following</P><P>aaa authentication http console LOCAL </P><P></P><P>And give it a try</P></BODY></HTML> Wed, 09 Jan 2013 14:17:19 GMT https://community.cisco.com/t5/network-security/management-interface-in-cluster-asa/m-p/2097265#M393365 Julio Carvajal 2013-01-09T14:17:19Z https://community.cisco.com/t5/network-security/management-interface-in-cluster-asa/m-p/2097266#M393368 <HTML><HEAD></HEAD><BODY><P>I have add aaa authtication http consol local but same error.</P><P></P><P>when i connect to 172.16.100.91 (standby ip on management) i have the error "could not open device 172.16.100.91"</P></BODY></HTML> Wed, 09 Jan 2013 21:13:03 GMT https://community.cisco.com/t5/network-security/management-interface-in-cluster-asa/m-p/2097266#M393368 fcorfdir 2013-01-09T21:13:03Z https://community.cisco.com/t5/network-security/management-interface-in-cluster-asa/m-p/2097267#M393372 <HTML><HEAD></HEAD><BODY><P>From witch Ip add are you trying to connect??</P><P></P><P>Regards,</P></BODY></HTML> Wed, 09 Jan 2013 21:28:49 GMT https://community.cisco.com/t5/network-security/management-interface-in-cluster-asa/m-p/2097267#M393372 Julio Carvajal 2013-01-09T21:28:49Z https://community.cisco.com/t5/network-security/management-interface-in-cluster-asa/m-p/2097268#M393374 <HTML><HEAD></HEAD><BODY><P>I update ASDM on both node and I can connet to both management ip with the new asdm. thank for your help</P></BODY></HTML> Wed, 09 Jan 2013 21:52:15 GMT https://community.cisco.com/t5/network-security/management-interface-in-cluster-asa/m-p/2097268#M393374 fcorfdir 2013-01-09T21:52:15Z