Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7694
Views
5
Helpful
3
Replies

ASA Active-Standby 'monitor-interface'

johnlloyd_13
Level 9
Level 9

‎04-26-2016 07:43 AM - edited ‎03-12-2019 12:40 AM

hi,

i'm configuring 2x ASA for active/standby and just want to confirm the 'monitor-interface' command

we have context with an 'outside' (with a different public IP) and 'inside' with different allocated sub-interface.

i was thinking of configuring these lines for each context just to be sure:

monitor-interface inside

monitor-interface outside

my question, since we're creating sub-interface (different VLAN) for the 'inside' interface for each context, do we always have to configure the 'monitor-interface inside' for each new context?

is 'outside' interface enabled by default for the 'monitor-interface' command since the allocated outside interface is always the main interface g0/0?

ASA01/pri/act(config-pmap)# monitor-interface ?

configure mode commands/options:
  service-module  Enable service-card monitoring
Current available interface(s):
  inside          Name of interface GigabitEthernet0/1.400    <<< THIS IS FOR CONTEXT A; WHAT IF CONTEXT B HAS G0/1.401 FOR 'inside'?
  outside         Name of interface GigabitEthernet0/0

lastly, is it good practice to enable the 'failover replication http' command? will it cause heavy traffic on the failover links?

Labels:
0 Helpful
3 Replies 3

Henrik Grankvist
Level 4
Level 4

‎04-26-2016 12:57 PM

Hi

I don't understand what you mean with:

is 'outside' interface enabled by default for the 'monitor-interface' command since the allocated outside interface is always the main interface g0/0?

By default only the failover interface is monitored if I remember correctly.

The monitor-interface is done inside each context, so if you have interface "outside" on three different context you have to enable monitor-interface on all three contexts for interface "outside".

Whether it's good practice or not depends on your need at your company/customer. Is it critical that not even the http session has to reestablish? Well then HTTP replication is necessary. For most companies it is not necessary.

johnlloyd_13
Level 9
Level 9
In response to Henrik Grankvist

‎04-26-2016 11:21 PM

hi,

i saw this link and it mentioned about the said command.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/ha_failover.html

Configuring Interface Monitoring

By default, monitoring is enabled on all physical interfaces, or for the ASA 5505 and ASASM, all VLAN interfaces. You might want to exclude interfaces attached to less critical networks from affecting your failover policy.

Guidelines

  • You can monitor up to 250 interfaces on a unit (across all contexts in multiple context mode).
  • In multiple context mode, configure interfaces within each context.

do you 'hardcode' these commands in your environment? same goes for the http replication, do you configure this in your ASA?

0 Helpful

Henrik Grankvist
Level 4
Level 4
In response to johnlloyd_13

‎04-30-2016 12:38 AM

Normally I only use subinterfaces because it scales a lot better and yes I will configure http replication, it doesn't impact that much on the bandwidth.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card