https://community.cisco.com/t5/network-security/asa-failover-maintain-management-ips/m-p/1926089#M437061 <P>Hi all,</P><P></P><P>I'm trying to work out if it's possible on ASAs to have the devices failover, but have the management IP not failover. So as an example: -</P><P></P><P>PRE FAILOVER</P><P></P><TABLE border="1" cellpadding="3" cellspacing="0" class="jiveBorder" style="width: 100%; border: 1px solid #000000;"><TBODY><TR><TH align="center" style="background-color: #6690bc;" valign="middle"><SPAN style="color: #ffffff;"><STRONG>Interface</STRONG></SPAN></TH><TH align="center" style="background-color: #6690bc;" valign="middle"><SPAN style="color: #ffffff;"><STRONG>ASA 1<BR /></STRONG></SPAN></TH><TH align="center" style="background-color: #6690bc;" valign="middle"><SPAN style="color: #ffffff;"><STRONG>ASA2</STRONG></SPAN></TH></TR><TR><TD>Inside</TD><TD>192.168.1.1/24</TD><TD>192.168.1.2/24</TD></TR><TR><TD>Outside</TD><TD>192.168.2.1/24</TD><TD>192.168.2.2/24</TD></TR><TR><TD>Management0/0</TD><TD>10.1.1.1/24</TD><TD>10.2.1.1/24</TD></TR></TBODY></TABLE><P></P><P>POST FAILOVER</P><P></P><TABLE border="1" cellpadding="3" cellspacing="0" class="jiveBorder" style="width: 100%; border: 1px solid #000000;"><TBODY><TR><TH align="center" style="background-color: #6690bc;" valign="middle"><SPAN style="color: #ffffff;"><STRONG>Interface</STRONG></SPAN></TH><TH align="center" style="background-color: #6690bc;" valign="middle"><SPAN style="color: #ffffff;"><STRONG>ASA 1<BR /></STRONG></SPAN></TH><TH align="center" style="background-color: #6690bc;" valign="middle"><SPAN style="color: #ffffff;"><STRONG>ASA 2<BR /></STRONG></SPAN></TH></TR><TR><TD>Inside</TD><TD>192.168.1.2/24</TD><TD>192.168.1.1/24</TD></TR><TR><TD>Outside</TD><TD>192.168.2.2/24</TD><TD>192.168.2.1/24</TD></TR><TR><TD>Management0/0</TD><TD>10.1.1.1/24</TD><TD>10.2.1.1/24</TD></TR></TBODY></TABLE><P></P><P></P><DIV class="mcePaste" id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow: hidden;"></DIV><P></P><P>Is it possible to do failover this way? I've tried disabling Man0/0 as a monitored-interface, but it makes no difference.</P><P></P><P>Thanks!</P> Mon, 11 Mar 2019 23:06:34 GMT showlette 2019-03-11T23:06:34Z https://community.cisco.com/t5/network-security/asa-failover-maintain-management-ips/m-p/1926089#M437061 <P>Hi all,</P><P></P><P>I'm trying to work out if it's possible on ASAs to have the devices failover, but have the management IP not failover. So as an example: -</P><P></P><P>PRE FAILOVER</P><P></P><TABLE border="1" cellpadding="3" cellspacing="0" class="jiveBorder" style="width: 100%; border: 1px solid #000000;"><TBODY><TR><TH align="center" style="background-color: #6690bc;" valign="middle"><SPAN style="color: #ffffff;"><STRONG>Interface</STRONG></SPAN></TH><TH align="center" style="background-color: #6690bc;" valign="middle"><SPAN style="color: #ffffff;"><STRONG>ASA 1<BR /></STRONG></SPAN></TH><TH align="center" style="background-color: #6690bc;" valign="middle"><SPAN style="color: #ffffff;"><STRONG>ASA2</STRONG></SPAN></TH></TR><TR><TD>Inside</TD><TD>192.168.1.1/24</TD><TD>192.168.1.2/24</TD></TR><TR><TD>Outside</TD><TD>192.168.2.1/24</TD><TD>192.168.2.2/24</TD></TR><TR><TD>Management0/0</TD><TD>10.1.1.1/24</TD><TD>10.2.1.1/24</TD></TR></TBODY></TABLE><P></P><P>POST FAILOVER</P><P></P><TABLE border="1" cellpadding="3" cellspacing="0" class="jiveBorder" style="width: 100%; border: 1px solid #000000;"><TBODY><TR><TH align="center" style="background-color: #6690bc;" valign="middle"><SPAN style="color: #ffffff;"><STRONG>Interface</STRONG></SPAN></TH><TH align="center" style="background-color: #6690bc;" valign="middle"><SPAN style="color: #ffffff;"><STRONG>ASA 1<BR /></STRONG></SPAN></TH><TH align="center" style="background-color: #6690bc;" valign="middle"><SPAN style="color: #ffffff;"><STRONG>ASA 2<BR /></STRONG></SPAN></TH></TR><TR><TD>Inside</TD><TD>192.168.1.2/24</TD><TD>192.168.1.1/24</TD></TR><TR><TD>Outside</TD><TD>192.168.2.2/24</TD><TD>192.168.2.1/24</TD></TR><TR><TD>Management0/0</TD><TD>10.1.1.1/24</TD><TD>10.2.1.1/24</TD></TR></TBODY></TABLE><P></P><P></P><DIV class="mcePaste" id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow: hidden;"></DIV><P></P><P>Is it possible to do failover this way? I've tried disabling Man0/0 as a monitored-interface, but it makes no difference.</P><P></P><P>Thanks!</P> Mon, 11 Mar 2019 23:06:34 GMT https://community.cisco.com/t5/network-security/asa-failover-maintain-management-ips/m-p/1926089#M437061 showlette 2019-03-11T23:06:34Z https://community.cisco.com/t5/network-security/asa-failover-maintain-management-ips/m-p/1926090#M437062 <HTML><HEAD></HEAD><BODY><P>Hi Staurt,</P><P></P><P>That's not possible, because whatever IP you give it to your management interface, it would be overwriiten with the one that you have on Primary firewalls when the replication happens. So the setup that you are looking for might not be possible.</P><P></P><P></P><P>Thanks, <BR />Varun Rao <BR />Security Team, <BR />Cisco TAC</P></BODY></HTML> Mon, 14 May 2012 11:32:37 GMT https://community.cisco.com/t5/network-security/asa-failover-maintain-management-ips/m-p/1926090#M437062 varrao 2012-05-14T11:32:37Z https://community.cisco.com/t5/network-security/asa-failover-maintain-management-ips/m-p/1926091#M437063 <HTML><HEAD></HEAD><BODY><P>I had expected this to be the case unfortunately. Seems like a bit of an oversight really, as management access that you can't have unless a device is in a certain mode, and may change, isn't much like management access to me.</P></BODY></HTML> Mon, 14 May 2012 11:57:27 GMT https://community.cisco.com/t5/network-security/asa-failover-maintain-management-ips/m-p/1926091#M437063 showlette 2012-05-14T11:57:27Z https://community.cisco.com/t5/network-security/asa-failover-maintain-management-ips/m-p/1926092#M437064 <HTML><HEAD></HEAD><BODY><P>No you can access the management interface of the standby firewall, even if it is in standby state. I am sorry but Ia m not really sure about your requirement and would suggest if you can let me know.</P><P></P><P></P><P>Thanks, <BR />Varun Rao <BR />Security Team, <BR />Cisco TAC</P></BODY></HTML> Mon, 14 May 2012 11:59:31 GMT https://community.cisco.com/t5/network-security/asa-failover-maintain-management-ips/m-p/1926092#M437064 varrao 2012-05-14T11:59:31Z https://community.cisco.com/t5/network-security/asa-failover-maintain-management-ips/m-p/1926093#M437065 <HTML><HEAD></HEAD><BODY><P>We would like the ASAs to be monitored and reachable separately. If the management IP switches over, that negates monitoring of the IP. </P><P></P><P>Ideally we would like the firewall management IPs to be in completely different subnets, which looks impossible with the way they currently work. An example is exactly like my first post.</P></BODY></HTML> Mon, 14 May 2012 12:04:21 GMT https://community.cisco.com/t5/network-security/asa-failover-maintain-management-ips/m-p/1926093#M437065 showlette 2012-05-14T12:04:21Z