ASA Failover: Maintain management IPs

showlette · ‎05-14-2012

Hi all,

I'm trying to work out if it's possible on ASAs to have the devices failover, but have the management IP not failover. So as an example: -

PRE FAILOVER

Interface	ASA 1	ASA2
Inside	192.168.1.1/24	192.168.1.2/24
Outside	192.168.2.1/24	192.168.2.2/24
Management0/0	10.1.1.1/24	10.2.1.1/24

POST FAILOVER

Interface	ASA 1	ASA 2
Inside	192.168.1.2/24	192.168.1.1/24
Outside	192.168.2.2/24	192.168.2.1/24
Management0/0	10.1.1.1/24	10.2.1.1/24

Is it possible to do failover this way? I've tried disabling Man0/0 as a monitored-interface, but it makes no difference.

Thanks!

varrao · ‎05-14-2012

Hi Staurt,

That's not possible, because whatever IP you give it to your management interface, it would be overwriiten with the one that you have on Primary firewalls when the replication happens. So the setup that you are looking for might not be possible.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

showlette · ‎05-14-2012

I had expected this to be the case unfortunately. Seems like a bit of an oversight really, as management access that you can't have unless a device is in a certain mode, and may change, isn't much like management access to me.

varrao · ‎05-14-2012

No you can access the management interface of the standby firewall, even if it is in standby state. I am sorry but Ia m not really sure about your requirement and would suggest if you can let me know.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

showlette · ‎05-14-2012

We would like the ASAs to be monitored and reachable separately. If the management IP switches over, that negates monitoring of the IP.

Ideally we would like the firewall management IPs to be in completely different subnets, which looks impossible with the way they currently work. An example is exactly like my first post.