Solved: Configure mgt 0/0 for OOB mgt

Eric R. Jones · ‎05-14-2019

Hello, we have 2 ASA 5585X runnin asa 9.10(1)7and ASDM 7.10(1).
We currently have the Gig0/1 interfaces on both devices with separate IP's in the same subnet for mgt purposes.
We have created an IP on the mgt0/0 port on the primary ASA for OOB management and would like to do the same on the secondary ASA's mgt 0/0 port using an IP in the same subnet as mgt0/0 on Primary ASA.
Right now when we attempt to use the ASDM to configure mgt 0/0 with the IP we get errors.
It won't allow us to do this.
Must we use a gig port configured to be a routable port or can this be achieved using the dedicated mgt ports?
I did some googling but haven't found anything definitive.
The ASA Admin guide didn't address this.

venkat_n7 · ‎05-15-2019

Hi,

i prefer CLI.

To my knowledge standby interface configuration is as below:

int m0/0

ip add 1.1.1.1 255.255.255.0 standby 1.1.1.2

no shut

This is how standby/failover interface ip address is configured.

Hope this helps.

Please rate comments and support
with regards,
Venkat

View solution in original post

Marius Gunnerud · ‎05-15-2019

What is the error message you get when trying to add a standby IP to the Mgmt 0/0 interface using the ASDM?

Have you tried adding the standby IP using the CLI?

--
Please remember to select a correct answer and rate helpful posts

Eric R. Jones · ‎05-15-2019

My co-worker isn't here to recreate the issue and I don't have the documentation he created.

Basically the primary has management 0/0 with IP/mask.

My thought is to create the management 0/1 with the other IP/Mask on the primary unit so it replicates to the standby.

This could result in an error of IP overlap, I haven't tried it yet.

Since these ports aren't passing data/traffic only management I don't see any confusion on connecting.

When I view the standby units management 0/0 port from the CLI I see the same IP anyway.

No doubt this is due to primary updating the secondary since you shouldn't/can't introduce changes on the secondary's configuration directly without getting a warning that you will put them out of sync.

This may be the error he got when he tried adding the IP to the standby units mgt 0/0 interface.

ej

venkat_n7 · ‎05-15-2019

Hi,

i prefer CLI.

To my knowledge standby interface configuration is as below:

int m0/0

ip add 1.1.1.1 255.255.255.0 standby 1.1.1.2

no shut

This is how standby/failover interface ip address is configured.

Hope this helps.

Please rate comments and support
with regards,
Venkat

Eric R. Jones · ‎05-16-2019

We looked it up and we shall deploy this change in our next window.

Ran out of time this go round.

ej

Marius Gunnerud · ‎05-16-2019

If you are looking for a mgmt IP on the secondary ASA for monitoring then this should be using the standby keyword under the ip address command. The IP you configure first..for example ip address 10.1.1.1 255.255.255.0 will always be assigned to the primary ASA even though it is replicated to the standby device. So you need to use the standby keyword.

--
Please remember to select a correct answer and rate helpful posts

venkat_n7 · ‎05-15-2019

Please rate comments and support
with regards,
Venkat