Re: Active/Standby Failover Config ? on Cisco ASA5510

Mike McWethy · ‎04-11-2011

I know this is probably an easy question, but I cannot seem to figure out what I am doing wrong. I have two ASA5510 configured in an active/standby failover configuration. Everything is working well, but I would like to remove DMZ2 as it is no longer needed. On my DMZ2 interface, I have removed the security level and the IP address and shutdown the interface. However, when I do a "show failover" DMZ2 is still showing up. I would like to remove it completely so that failover isn't even "monitoring" this interface. What command am I missing or what do I need to do to completely remove this interface from this "show failover" listing?

This host: Primary - Active
        Active time: 13400573 (sec)
        slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)
          Interface outside (xx.xx.xxx.xx): Normal (Waiting)
          Interface dmz1 (192.168.xx.x): Normal (Waiting)
          Interface inside (10.xxx.xxx.xx): Normal (Waiting)
          Interface dmz2 (0.0.0.0): Link Down (Waiting)
          Interface DMZ3 (yyy.yyy.yyy.yyy): Normal (Waiting)

manish arora · ‎04-11-2011

Try

asa(config)# no monitor-interface dmz2

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/m_72.html#wp1785557

Manish

Mike McWethy · ‎04-11-2011

I tried that command, no monitor-interface dmz2, and now it says:

Interface dmz2 (0.0.0.0): Link Down (Not-Monitored)

It is still showing up though. The other interfaces on the ASA that are in a shutdown state with no security level and no IP address do not show up. I think you are on the right track, but it still didn't remove that from the listing.

Mike

manish arora · ‎04-11-2011

Umm , I think you might have to reset the failover or reload the device for that , not sure and can't find any Documentation related to that.

Manish

Mike McWethy · ‎04-11-2011

Yeah, I was wondering about whether a reload was a requirement for this. I will attempt the reload during our maintenance window and see what that does. I found little documentation on this as well. That was why I posted the question to the community. Thanks.

Mike McWethy · ‎04-11-2011

Ok, so I figured this out. Possibly, in addition to the "no monitor-interface" command, if you remove the IP address and the nameif on the interface, it will remove failover monitoring on that interface. Just an FYI. I went into interface config mode on that interface and entered no nameif, and that removed it from the listing when "show failover" was entered. Thanks for the help.

Mike

manish arora · ‎04-11-2011

Mike,

I thought you said in your original post "I have removed the security level and the IP address and shutdown the interface." But good to know that you don't need reset for that.

Thanks

Manish

Mike McWethy · ‎04-11-2011

I did say that and I did do that. However, I hadn't removed the nameif on the interface as I figured the IP address removal would've taken care of it. It didn't. At least I have it figured out now. Again, thanks for your help