Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
621
Views
0
Helpful
2
Replies

ASA Management Interface Independand IP

Go to solution
anthonykahwati
Level 1
Level 1

‎06-17-2013 12:41 AM - edited ‎03-11-2019 06:58 PM

Hi

I have a pair of ASA 5510's running as a failover pair 8.4.

Currently we have 3 prod interfaces and are also utilising the management interface as an out of band management interface.

AS I have joined the two using failover, the management interface on the second ASA has taken the IP address of the first. Is it possible to exclude this interface from HA so that we can manage, via IP, each device independantly? The main reason for this is that the two devices sit in different DC's so we have a different out of band network at each site.

Thanks


Anthony

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-17-2013 01:03 AM

Hi,

I dont personally atleast know of any way to achieve this since the devices share the single configuration and switch interface IP addressing depending which device is Active in the pair.

To my understanding every physical interface that is not configured to subinterfaces should be part of the Failover by default. I guess in your case, even though it doesnt accomplish what you are after, you should probably configure "no monitor-interface ", otherwise to my understanding it might affect the Failover state?

I dont know if there is really any way to make this work like you want. I think Cisco assumes that the Management interface is like any other Data interface in the Failover and it should have connectivity between the sites where the ASA pairs are located.

I guess it would be better if the Console port was used for this purpose and you had a separate device to which you could remote to access the Console of the device you wanted.

If you want to issue commands to the other ASA through the Failover link then that is possible

You can for example log into an ASA and execute commands through the Failover link

failover exec mate

Though again, I dont know if this will be of any help in your situation.

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-17-2013 01:03 AM

Hi,

I dont personally atleast know of any way to achieve this since the devices share the single configuration and switch interface IP addressing depending which device is Active in the pair.

To my understanding every physical interface that is not configured to subinterfaces should be part of the Failover by default. I guess in your case, even though it doesnt accomplish what you are after, you should probably configure "no monitor-interface ", otherwise to my understanding it might affect the Failover state?

I dont know if there is really any way to make this work like you want. I think Cisco assumes that the Management interface is like any other Data interface in the Failover and it should have connectivity between the sites where the ASA pairs are located.

I guess it would be better if the Console port was used for this purpose and you had a separate device to which you could remote to access the Console of the device you wanted.

If you want to issue commands to the other ASA through the Failover link then that is possible

You can for example log into an ASA and execute commands through the Failover link

failover exec mate

Though again, I dont know if this will be of any help in your situation.

- Jouni

0 Helpful

Go to solution
anthonykahwati
Level 1
Level 1
In response to Jouni Forss

‎06-18-2013 01:52 AM

Thanks for the very detailed response John. I appreciate your taking the time. We will have an interfnal facing interface on the device that will already be a x-site interface, so may just use that to get to it from ASDM and use the management interface for the failover interface.

Anthony

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card