Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
663
Views
0
Helpful
3
Replies

ASA 5520:Moving failover to management interface and creating EtherChannel for Inside with freed interface

Go to solution
kasper123
Level 4
Level 4

‎05-04-2015 03:53 AM - last edited on ‎03-25-2019 05:55 PM by Community Manager

Hi,

We have two ASA 5520 running in Active/Standby mode and we are using one of the gigabit interfaces for failover.

We are now planning to use the management interface for failover and then use the freed gigabit interface to create an etherchannel for the inside network.

Our current failover configuration looks like this:

failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/0
failover key ********
failover interface ip failover 192.168.200.1 255.255.255.0 standby 192.168.200.2

 

Regarding the first part: Is there some procedure for moving the failover interface to another interface? Should we manually reconfigure both ASA's to use the management interface and then connect them?

And once that is done is it possible to create an etherchannel and keep the configuration already configured on the interface like it is now? The idea is to add the second interface to the INSIDE network.

Regards.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎05-04-2015 06:59 AM

Hi,

To start with , it is not recommended to use Management interfaces for Fail-over.

Refer:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ha_overview.html#pgfId-1077627

Now , as this is the Failover interface , you would have to disable the Failover , reconfigure the configuration separately both the units and re-enable the failover again.

Once , this interface is freed from the failover configuration , I would recommend not to do a nameif on the ASA device as that would remove the configuration from the ASA device related to the Interface name.

Like NAT and ACL.

So , make the changes offline and just copy the configuration on the ASA device.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

0 Helpful

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to kasper123

‎05-04-2015 11:16 PM

Hi,

I think these should be the sequence of events that you should follow:-

1) Re-configure the Failover after changing the interface to management interface.

2) After you have the failover up and running , there is no easy way of creating a port channel from the physical interface without removing the existing interface configuration.

What i was pointing at was that if you remove the interface on the ASA device all the related configuration will get removed and you would have a hard time replacing everything back.

Instead do this offline , and replace the interface with port channel and once you are done , rest of the configuration being attached to the name of the interface would not need any changes and you just copy the configuration on the ASA running configuration and that should be all what is required.

You would need some downtime for this activity.

Thanks and Regards,

Vibhor Amrodia

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎05-04-2015 06:59 AM

Hi,

To start with , it is not recommended to use Management interfaces for Fail-over.

Refer:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ha_overview.html#pgfId-1077627

Now , as this is the Failover interface , you would have to disable the Failover , reconfigure the configuration separately both the units and re-enable the failover again.

Once , this interface is freed from the failover configuration , I would recommend not to do a nameif on the ASA device as that would remove the configuration from the ASA device related to the Interface name.

Like NAT and ACL.

So , make the changes offline and just copy the configuration on the ASA device.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
kasper123
Level 4
Level 4
In response to Vibhor Amrodia

‎05-04-2015 12:29 PM

Hi Vibhor,

Thank you for taking the time to respond.

As I wrote the idea is to add the freed interface to an existing interface and create an etherchannel.

Will the configuration of the existing interface (Inside) stay the same when the etherchannel is created or does it have to be configured from scratch?

Also should this (creation of etherchannel) be done before enabling failover? 

Regards.

0 Helpful

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to kasper123

‎05-04-2015 11:16 PM

Hi,

I think these should be the sequence of events that you should follow:-

1) Re-configure the Failover after changing the interface to management interface.

2) After you have the failover up and running , there is no easy way of creating a port channel from the physical interface without removing the existing interface configuration.

What i was pointing at was that if you remove the interface on the ASA device all the related configuration will get removed and you would have a hard time replacing everything back.

Instead do this offline , and replace the interface with port channel and once you are done , rest of the configuration being attached to the name of the interface would not need any changes and you just copy the configuration on the ASA running configuration and that should be all what is required.

You would need some downtime for this activity.

Thanks and Regards,

Vibhor Amrodia

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card