Solved: ASA, management interface and failover.

andrea.meconi · ‎06-19-2013

Hello at all.

I'm using ASA 5550 with software version 7.2(4).

I'm looking for informations about management only interface and failover.

Any info is appreciated.

Thanks.

Regards.

Andrea

Jouni Forss · ‎06-19-2013

I would also like some clarification to this.

My understanding is that the "no monitor-interface " only tells the ASA whether or not the ASA should care about the state of this link when deciding whether to Failove or not.

Since the Failover pairs share the single configuration it should also to my understanding mean that even if you configure the units with different IP addresses, as soon as the next failover happens the other units configuration would overwrite the interface configuration for Management0/0?Or?

- Jouni

View solution in original post

Jouni Forss · ‎06-19-2013

Hi,

I am not quite sure what you are after. Do you mean can the Management0/0 interface be used as a Failover link or perhaps something else related to the Management interface and Failover?

On the original ASA5500 Series (5510, 5520, 5540 and so on) you can use the Management0/0 interface as a Failover link. In the new ASA5500-X Series this is not possible to my understanding.

The configuration can be for example (just posted this in another thread)

failover

failover lan unit primary

failover lan interface failover Management0/0

failover key

failover replication http

failover link failover Management0/0

failover interface ip failover 10.1.1.1 255.255.255.0 standby 10.1.1.2

Secondary

failover

failover lan unit secondary

failover lan interface failover Management0/0

failover key

failover replication http

failover link failover Management0/0

failover interface ip failover 10.1.1.1 255.255.255.0 standby 10.1.1.2

- Jouni

andrea.meconi · ‎06-19-2013

Hello Jouni and many thanks for your help.

My question is related to the management interface and failover.

I need to understand how this interface changes state when failover occurs. Can I configure this interface so it cannot change IP when failover?

Regards.

Andrea

jebose · ‎06-19-2013

Hi Andrea,

We can use the management interface for setting up failover ie Management interface can be used as

failover interface.

here is a sample config that might help you out.

############################

interface management 0/0

no ip address

no management-only

no shut

for primary asa

---

failover lan unit primary

failover lan interface flink management 0/0

failover interface ip flink 10.1.0.1 255.255.255.0 standby 10.1.0.2

failover link flink management 0/0 // for stateful failover

failover interface ip flink 20.0.0.1 standby 20.0.0.2

Failover

***********

for secondary

--

failover lan unit secondary

failover lan interface flink management 0/0

failover interface ip flink 10.1.0.1 255.255.255.0 standby 10.1.0.2

failover link flink management 0/0

failover interface ip flink 20.0.0.1 standby 20.0.0.2

Failover

------------

###########################

please refer the folloiwn link that explans the same.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

NOTE- extract from the above link.

Cisco recommends that you do not use the management interface for failover, especially for stateful failover in which the security appliance constantly sends the connection information from one security appliance to the other. The interface for failover must be at least of the same capacity as the interfaces that pass regular traffic.

Please feel free to reach me if you have any questions.

Regards,

Jesu Kumar Bose

Engineer-Customer Support(SECURITY)

Cisco Systems Inc.

E-Mail : jebose@cisco.com

Phone : +1 (408) 895 7588

andrea.meconi · ‎06-19-2013

Hello Jesu and many many thanks for your help.

My question is related to the management interface and failover.

I need to understand how this interface changes state when failover occurs. Can I configure this interface so it cannot change IP when failover?

Regards.

Andrea

Jouni Forss · ‎06-19-2013

Hi,

The Management interface is to my understanding like any othe Data interface that is part of the Failover.

Meaning that the Primary IP address is always on the Active unit. So it can be on different hardware if Failover has occured.

To my understanding its not possible to have the Management interfaces stay static on a certain hardware even when Failover happens.

- Jouni

jebose · ‎06-19-2013

Hi Andrea,

If the rquirement still says that you need an interface whoses ip address should not change then simply go ahead and disable the monitoring for the concerned interface.

here is the link that explains the command.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html#wp1097144

Asa will never monitor the non monitored interface.Also a subinterface is not monitored by dafult.

## Interface change Procedure during an event of failover ##

Primary (active) secondary (standby) -- event-> failover

Secondary becomes active and takes over the active ip and primary being standby takes over the standby ip address.

Note- the secondary unit takes the mac address of the Primary unit to begin passing traffic.

For vice versa the Primary unit retains burned in mac if failover occurs. this ensure smooth transition in an event of failover.

Regards,

Jesu Kumar Bose

andrea.meconi · ‎06-19-2013

So, if I understand well I can configure the IP address on my ASA as

Primary

!

interface Management0/0

nameif mgmt

security-level 100

ip address 10.0.0.1 255.255.255.0

!

Secondary

!

interface Management0/0

nameif mgmt

security-level 100

ip address 10.0.0.2 255.255.255.0

!

and simply set

no monitor-interface management 0/0

When failover occurs I can reach the primary on 10.0.0.1 and secondary on 10.0.0.2?

Thanks.

Regards.

Andrea

Jouni Forss · ‎06-19-2013

I would also like some clarification to this.

My understanding is that the "no monitor-interface " only tells the ASA whether or not the ASA should care about the state of this link when deciding whether to Failove or not.

Since the Failover pairs share the single configuration it should also to my understanding mean that even if you configure the units with different IP addresses, as soon as the next failover happens the other units configuration would overwrite the interface configuration for Management0/0?Or?

- Jouni

andrea.meconi · ‎06-19-2013

Jouni, I'm going to test this configuration....

Regards.

Andrea

jebose · ‎06-19-2013

Hi Andrea/Jouni,

i agree with Jouni on this. we cannot have two interfaces configured with two different ip address on primary and secondary.

the active unit will over write the same ip address to standby unit.

Regards,

Jesu Kumar Bose

andrea.meconi · ‎06-19-2013

Hello Jouni/Jesu.

Right! I cannot have two different IP address on primary and secondary. I need to use the standby keyword.

Many many thanks.

Regards,

Andrea

Gang Ma · ‎12-11-2019

I tested on ASA5585-SSP-10, the IP addr of Management0/0 will stay static after failover. Just don't append the keyword standby.