04-11-2011 10:23 AM - edited 03-11-2019 01:19 PM
I know this is probably an easy question, but I cannot seem to figure out what I am doing wrong. I have two ASA5510 configured in an active/standby failover configuration. Everything is working well, but I would like to remove DMZ2 as it is no longer needed. On my DMZ2 interface, I have removed the security level and the IP address and shutdown the interface. However, when I do a "show failover" DMZ2 is still showing up. I would like to remove it completely so that failover isn't even "monitoring" this interface. What command am I missing or what do I need to do to completely remove this interface from this "show failover" listing?
This host: Primary - Active
Active time: 13400573 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface outside (xx.xx.xxx.xx): Normal (Waiting)
Interface dmz1 (192.168.xx.x): Normal (Waiting)
Interface inside (10.xxx.xxx.xx): Normal (Waiting)
Interface dmz2 (0.0.0.0): Link Down (Waiting)
Interface DMZ3 (yyy.yyy.yyy.yyy): Normal (Waiting)
04-11-2011 10:35 AM
Try
asa(config)# no monitor-interface dmz2
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/m_72.html#wp1785557
Manish
04-11-2011 10:51 AM
I tried that command, no monitor-interface dmz2, and now it says:
Interface dmz2 (0.0.0.0): Link Down (Not-Monitored)
It is still showing up though. The other interfaces on the ASA that are in a shutdown state with no security level and no IP address do not show up. I think you are on the right track, but it still didn't remove that from the listing.
Mike
04-11-2011 11:48 AM
Umm , I think you might have to reset the failover or reload the device for that , not sure and can't find any Documentation related to that.
Manish
04-11-2011 12:59 PM
Yeah, I was wondering about whether a reload was a requirement for this. I will attempt the reload during our maintenance window and see what that does. I found little documentation on this as well. That was why I posted the question to the community. Thanks.
04-11-2011 01:11 PM
Ok, so I figured this out. Possibly, in addition to the "no monitor-interface" command, if you remove the IP address and the nameif on the interface, it will remove failover monitoring on that interface. Just an FYI. I went into interface config mode on that interface and entered no nameif, and that removed it from the listing when "show failover" was entered. Thanks for the help.
Mike
04-11-2011 02:06 PM
Mike,
I thought you said in your original post "I have removed the security level and the IP address and shutdown the interface." But good to know that you don't need reset for that.
Thanks
Manish
04-11-2011 02:27 PM
I did say that and I did do that. However, I hadn't removed the nameif on the interface as I figured the IP address removal would've taken care of it. It didn't. At least I have it figured out now. Again, thanks for your help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide