cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
873
Views
0
Helpful
4
Replies

ASA Failover: Maintain management IPs

showlette
Level 1
Level 1

Hi all,

I'm trying to work out if it's possible on ASAs to have the devices failover, but have the management IP not failover. So as an example: -

PRE FAILOVER

InterfaceASA 1
ASA2
Inside192.168.1.1/24192.168.1.2/24
Outside192.168.2.1/24192.168.2.2/24
Management0/010.1.1.1/2410.2.1.1/24

POST FAILOVER

InterfaceASA 1
ASA 2
Inside192.168.1.2/24192.168.1.1/24
Outside192.168.2.2/24192.168.2.1/24
Management0/010.1.1.1/2410.2.1.1/24

Is it possible to do failover this way? I've tried disabling Man0/0 as a monitored-interface, but it makes no difference.

Thanks!

4 Replies 4

varrao
Level 10
Level 10

Hi Staurt,

That's not possible, because whatever IP you give it to your management interface, it would be overwriiten with the one that you have on Primary firewalls when the replication happens. So the setup that you are looking for might not be possible.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

I had expected this to be the case unfortunately. Seems like a bit of an oversight really, as management access that you can't have unless a device is in a certain mode, and may change, isn't much like management access to me.

No you can access the management interface of the standby firewall, even if it is in standby state. I am sorry but Ia m not really sure about your requirement and would suggest if you can let me know.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

We would like the ASAs to be monitored and reachable separately. If the management IP switches over, that negates monitoring of the IP.

Ideally we would like the firewall management IPs to be in completely different subnets, which looks impossible with the way they currently work. An example is exactly like my first post.

Review Cisco Networking for a $25 gift card