cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4023
Views
1
Helpful
3
Replies

ASA failover & "static" management address

jedavis
Level 4
Level 4

I have configured a couple of ASA5510's as an active/standby pair and all is working well. I have a bunch of ASA's that I manage and as a practice, I don't usually configure or connect the management interfaces. I just connect to them via one of the data interfaces. However, while I was playing around with the failover pair in the lab I lost connectivity to the primary unit (don't ever let your unconfigured standby unit come up BEFORE you issue the failover command on the primary unit!). This made me think that I might want to configure management interfaces.

Ideally, the management interfaces would have "static" addresses. They would not be monitored interfaces and the management IP address would not change when failover occurs. In other words, if the secondary/standby has a management IP address of 1.1.1.1 it STILL has a management address of 1.1.1.1 when it becomes secondary/active.

I tried to make this work by assigning different IP addresses to the m0/0 interfaces on each ASA without the "standby" address parameter. Of course, I have to do this on the active unit before I do it on the standby unit. If I do it on the standby unit first, that address gets overwritten when the "ip address" command is replicated from the primary unit. So now I have the two units each with a different IP addresses on the management interface. In this configuration, I can access the active unit management int but not the standby. A "show int m0/0" command on the standby tells me that the IP address is unassigned, but a "show run int m0/0" indicates that it is configured. Oh - and I have configured "no monitor-interface management"

So, I take it that it is not possible to do this? If not, I have to ask myself the same question I did before - why bother connecting the management interface?

TIA - Jeff

3 Replies 3

cpembleton
Level 4
Level 4

The active and standby ip's need to be set on all interfaces including the management-only. Sorry!

You could always use the management interface for actual traffic if you need to or as your failover link.

The interface was created to provide an out of band type of management for the ASA. Maybe you have an isolated net just for management. Or you just don't want the extra traffic going over an interface that is carrying real traffic. Can also be another way to access if anything where to happen to your inside inf or where you normally manage it from.

HTH

Chad

Farrukh Haroon
VIP Alumni
VIP Alumni

The management interface is provided to:

> help you start off your ASA configuration/ASDM easily and quickly...(DHCP etc. filter 'allow' by default etc.)

> Dedicate an interface for Out of Band (OOB) management. This depends on your security policy/compliance requirements.

However the scenario you describe is not possible with failover. If you are not 'monitoring' an interface you can skip the secondary IP address on it (it will work fine without it) however you won't be able to connect to the secondary box using the mgmt. interface. The best practice is to configure both active/standby. So that you can connect to both units (which is sometimes good to troubleshoot).

You are never supported to enter any configuration commands on the standby unit. And any changes you make the the active are automatically replicated to the standby, so its not possible to assign two different IPs.

Whichever unit is active it will take the first IP and vice versa.

Please rate if helpful.

Regards

Farrukh

Gang Ma
Level 1
Level 1

Years have passed. I tested it on ASA5585-SSP-10 with 9.8(4)12. Configure one IP to Primary's Management0/0, write mem and another IP to secondary M0/0 and write mem.

 

There is warning. but the IP is still accepted by the secondary node.

 

WARNING: Failover is enabled but standby IP address is not configured for this interface.

 

After several manual failover, the two different IP are still static on their nodes respectively.

Review Cisco Networking for a $25 gift card