I have configured a couple of ASA5510's as an active/standby pair and all is working well. I have a bunch of ASA's that I manage and as a practice, I don't usually configure or connect the management interfaces. I just connect to them via one of the data interfaces. However, while I was playing around with the failover pair in the lab I lost connectivity to the primary unit (don't ever let your unconfigured standby unit come up BEFORE you issue the failover command on the primary unit!). This made me think that I might want to configure management interfaces.
Ideally, the management interfaces would have "static" addresses. They would not be monitored interfaces and the management IP address would not change when failover occurs. In other words, if the secondary/standby has a management IP address of 126.96.36.199 it STILL has a management address of 188.8.131.52 when it becomes secondary/active.
I tried to make this work by assigning different IP addresses to the m0/0 interfaces on each ASA without the "standby" address parameter. Of course, I have to do this on the active unit before I do it on the standby unit. If I do it on the standby unit first, that address gets overwritten when the "ip address" command is replicated from the primary unit. So now I have the two units each with a different IP addresses on the management interface. In this configuration, I can access the active unit management int but not the standby. A "show int m0/0" command on the standby tells me that the IP address is unassigned, but a "show run int m0/0" indicates that it is configured. Oh - and I have configured "no monitor-interface management"
So, I take it that it is not possible to do this? If not, I have to ask myself the same question I did before - why bother connecting the management interface?
The active and standby ip's need to be set on all interfaces including the management-only. Sorry!
You could always use the management interface for actual traffic if you need to or as your failover link.
The interface was created to provide an out of band type of management for the ASA. Maybe you have an isolated net just for management. Or you just don't want the extra traffic going over an interface that is carrying real traffic. Can also be another way to access if anything where to happen to your inside inf or where you normally manage it from.
> help you start off your ASA configuration/ASDM easily and quickly...(DHCP etc. filter 'allow' by default etc.)
> Dedicate an interface for Out of Band (OOB) management. This depends on your security policy/compliance requirements.
However the scenario you describe is not possible with failover. If you are not 'monitoring' an interface you can skip the secondary IP address on it (it will work fine without it) however you won't be able to connect to the secondary box using the mgmt. interface. The best practice is to configure both active/standby. So that you can connect to both units (which is sometimes good to troubleshoot).
You are never supported to enter any configuration commands on the standby unit. And any changes you make the the active are automatically replicated to the standby, so its not possible to assign two different IPs.
Whichever unit is active it will take the first IP and vice versa.
Community Live Event Video
Are you ready to level up your security? Learn more about how Cisco SecureX can help you simplify your security and maximize operational efficiency.
This event talks about Cisco SecureX, its benefits, features, and usage. Th...
Hi all,I cannot understand why is something working very well they create a way to complicate things in Cisco ASA OS. I have a rule :object network LOCAL_ADRESS1 host 192.168.20.12 nat (VLAN20,outside) source static LOCAL_ADRESS1 interface&...
It is our pleasure to officially announce the finalists in the 2021 IT Blog Awards. We are now looking to our amazing tech community to check out the amazing line up of bloggers, vloggers and podcasters. Make sure to vote for your favorites...
Community Live Event Slides
This event talks about Cisco SecureX, its benefits, features, and usage. The session includes sample use cases and live demonstrations.
Cisco expert Luis Silva talks about how this solution can integrate Cisco technology and ...
Hello All, Recently I got an opportunity to perform POC with Cisco ISE (2.7 Patch 4) and Aruba Wireless AP (IAP) to perform 802.1x EAP-FAST (machine + user) authentication followed by Posture Assessment on Windows 10 Machines (installed with AnyConnect 4....