Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1551
Views
50
Helpful
5
Replies

ASA Interface Monitoring with Port-Channel

Go to solution
dm2020
Level 1
Level 1

‎05-31-2022 03:17 AM

Hi All,

 

We have a Cisco ASA that is connected to the network using a singe port-channel interface. We then use sub-interfaces for each ASA logical interface such as inside, outside and DMZ. When it comes to monitoring the logical interfaces for failover, as they are all associated to the same physical port-channel interface, does it make a difference if only one logical interface was set to monitor (such as monitor-interface inside) or if all logical interfaces are monitored?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jitendra Kumar
Spotlight
Spotlight
In response to dm2020

‎05-31-2022 04:21 AM

Yes, you can monitor the sub-interface this work as per the logic.

 

Thanks,

Jitendra

Thanks,
Jitendra

View solution in original post

5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎05-31-2022 03:25 AM

You are correct they are Logical sub interfaces using same Physical ports- 

some time it may have some reason other side go down, so monitoring sub-interface is valid here - if you looking Failover.

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Jitendra Kumar
Spotlight
Spotlight

‎05-31-2022 03:52 AM

I would suggest please read the below article your query surely will resolve.. hope you will found helpfull.

 

https://community.cisco.com/t5/security-documents/asa-interface-monitoring-in-failover-and-its-impact/ta-p/3144324

 

Thanks,

Jitendra

Thanks,
Jitendra

Go to solution
dm2020
Level 1
Level 1
In response to Jitendra Kumar

‎05-31-2022 04:14 AM

Thanks for this. So if I read this correctly either the physical interface needs to be monitored or one of the sub-interfaces that uses this physical interface.

 

In my scenario I am using multi-context mode with only the port-channel sub-interfaces presented to the context. Based on the above, I should only need to monitor one sub-interface such as inside (Port-Channel1.100 - monitor-interface inside) for failover to work in the event that the port-channel interface goes down?

0 Helpful

Go to solution
Jitendra Kumar
Spotlight
Spotlight
In response to dm2020

‎05-31-2022 04:21 AM

Yes, you can monitor the sub-interface this work as per the logic.

 

Thanks,

Jitendra

Thanks,
Jitendra

Go to solution
MHM Cisco World
VIP
VIP

‎05-31-2022 11:50 AM

Yes, you can use one monitor like inside BUT what if the Queue of INSIDE sub interface in SW connect two ASA drop message because congestion??
so it better to make three logical sub interface monitor for failover. 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card