04-03-2017 03:00 PM - edited 03-12-2019 02:10 AM
I am trying to configure an IP address on my Management0/0 interface that is within the range of a sub-interface of my data plane. When I try to apply the IP address configuration, I get the following error:
ASA/pri/act(config-if)# ip address 10.0.5.7 255.255.255.0 standby 10.0$
ERROR: Address is in use by routing instance of different network type
I'm running ASA version 9.7.1, and according to the Operations CLI Guide (page 617):
As a standard security practice, it is often necessary to segregate and isolate Management traffic from data traffic. To achieve this isolation, the ASA uses a separate routing table for Management-only traffic vs. data traffic.
The Management routing table supports dynamic routing separate from the data interface routing table. A given dynamic routing process must run on either the management-only interface or the data interface; you cannot mix both types. When upgrading from an earlier release without the separate Management routing table, if you have a mix of data and management interfaces using the same dynamic routing process, management interfaces will be dropped.
This leads me to believe that the Management interfaces should be VRF-aware, much like on the ASRs, where you can have two overlapping IPs on two distinct interfaces, because they are in different routing instances. But so far I've not been able to get it to work. I tried adding a static route to the ASA for the management interface (thinking that it would be a different type of routing process), but that threw an error as well:
WDC-ASA-501/pri/act(config)# route management 10.0.5.0 255.255.255.0 10.0.5.1
ERROR: Invalid next hop address 10.0.5.1, it matches our IP address
The network devices VLAN's gateway is on the ASA, which trunks it (and all others) down to our core Nexus switching fabric. The VLAN is trunked from there down to a dedicated management Catalyst switch, where an access port is hooked up to the Management interface.
Below are the relevant configs from the ASA:
!
interface Management0/0
management-only
nameif management
security-level 0
no ip address
!
interface Port-channel5.1013
description port channel subinterface for VLAN 1013 - network_device_vlan
vlan 1013
nameif prod_network_device
security-level 100
ip address 10.0.5.1 255.255.255.0 standby 10.0.5.2
!
router ospf 1
router-id 10.0.5.133
network 10.0.0.0 255.255.0.0 area 0
network 10.1.0.0 255.255.0.0 area 0
log-adj-changes
!
Any help with this would be appreciated. Thanks
Craine
Solved! Go to Solution.
04-04-2017 09:24 AM
The documentation is a bit unclear on this point but I suspect that's the root of the problem.
The new management routing table (RIB and FIB) is not a true separate VRF (like an ASR) or even VRF-lite (like a Catalyst switch) but rather a very minimal implementation. I don't think they put the logic into it to distinguish the static/connected route for your management interface from the dynamic routing process you are running.
I'd recommend opening a TAC case to verify. They may have an internal article documenting this caveat.
04-04-2017 09:13 AM
Are you running a dynamic routing protocol (i.e. , EIGRP, OSPF or BGP) on the device?
04-04-2017 09:16 AM
Yes, we are running OSPF between the ASAs and our Nexus core.
04-04-2017 09:24 AM
The documentation is a bit unclear on this point but I suspect that's the root of the problem.
The new management routing table (RIB and FIB) is not a true separate VRF (like an ASR) or even VRF-lite (like a Catalyst switch) but rather a very minimal implementation. I don't think they put the logic into it to distinguish the static/connected route for your management interface from the dynamic routing process you are running.
I'd recommend opening a TAC case to verify. They may have an internal article documenting this caveat.
04-04-2017 09:25 AM
Thanks, I'll do that.
05-28-2019 10:14 AM
Was/Is there a solution to this problem?
06-02-2022 07:08 AM - edited 06-02-2022 07:16 AM
This is an old problem I recently encountered. The way I solved it was to reconfigure my routing protocol with very specific network statements for all the interfaces (with masks of 255.255.255.255), then removing the general network statement. After that, I was able to configure the IP address of the management interface without issue.
Originally, my routing protocol was configured like:
router eigrp 1
network 10.0.0.0 255.0.0.0
I replaced this with:
router eigrp 1
network 10.20.0.10 255.255.255.255
10.20.16.10 255.255.255.255
...
no network 10.0.0.0 255.0.0.0
This will keep your neighborships up and not cause an outage if you're careful to add all your interfaces to the network statements.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide