02-14-2012 08:17 PM - edited 03-11-2019 03:29 PM
Hi All,
I am having issues with the ASA 5510 management interface.
I can't communicate with this interface. It is showing DOWN/DWON evenif I type NO SHUT several times.
My existing config is as follows
our-asa-01# sh run
: Saved
:
ASA Version 7.2(5)
!
hostname our-asa-01
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.2 255.255.255.0
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
nameif pro
security-level 100
ip address 10.10.10.2 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
duplex full
nameif management
security-level 0
ip address 10.10.99.11 255.255.255.0
management-only
!
boot system disk0:/asa725-k8.bin
no ftp mode passive
dns server-group DefaultDNS
domain-name tmi-our.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any any eq https
access-list outside_access_in extended deny ip any any
access-list management_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu production 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-525.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (pro) 1 0.0.0.0 0.0.0.0
no threat-detection statistics tcp-intercept
access-group outside_access_in in interface outside
access-group management_access_in in interface management
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route pro 172.16.0.0 255.255.255.0 10.10.10.1 1
route management 0.0.0.0 0.0.0.255 10.10.99.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
http server enable
http 10.10.99.100 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.10.99.0 255.255.255.0 management
ssh timeout 30
ssh version 2
console timeout 30
management-access management
tftp-server management 10.10.99.100 tftp://10.10.99.100/
username manager password w8DyJk5xISyQAabZ encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:953f4b1927ba125e6e585da372f0b0df
: end
our-asa-01# sh int ip br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 x.x.x.2 YES CONFIG up up
Ethernet0/1 unassigned YES unset administratively down up
Ethernet0/2 10.10.10.2 YES CONFIG up up
Ethernet0/3 unassigned YES unset administratively down up
Internal-Control0/0 127.0.1.1 YES unset up up
Internal-Data0/0 unassigned YES unset up up
Management0/0 10.10.99.11 YES manual down down
our-asa-01# sh int m0/0
Interface Management0/0 "management", is down, line protocol is down
Hardware is i82557, BW 100 Mbps
Full-Duplex, Auto-Speed
MAC address c84c.75ea.2bc7, MTU 1500
IP address 10.10.99.11, subnet mask 255.255.255.0
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (0/0) software (0/0)
output queue (curr/max packets): hardware (0/0) software (0/0)
Traffic Statistics for "management":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
our-asa-01# ping 10.10.99.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.99.11, timeout is 2 seconds:
???
Success rate is 0 percent (0/3)
our-asa-01# ping
Interface: management
Target IP address: 10.10.99.11
Repeat count: [5]
Datagram size: [100]
Timeout in seconds: [2]
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.99.11, timeout is 2 seconds:
Error: management interface is shutdown
Success rate is 0 percent (0/1)
02-14-2012 11:23 PM
Hi Chamon,
Couple of things to chcek:
First make sure the connectivity is correct and the cables are fine
Second, if you want to pass normal traffic through the management interface, then you would need to go into the management interface and issue the command "no management-only".
Let me know how it goes.
Thanks,
Varun
02-15-2012 06:59 AM
Hi Varun,
Thanks for your reply.
The cable is connected properly. My goal is to use the Management interface for management purpose only.
I also tried to put "no management-only" command to see the difference but I did not find anything yet.
The interface is showing STATUS DOWN, which is similar to Administative Down.
Management0/0 10.10.99.11 YES manual down down
We need to find a solution to make it active otherwise I don't think this will work again.
02-15-2012 09:59 AM
Chamon,
What is this interface connected to? Typically when you see a down down, then I would first look for Layer 1 connectivity first.... checking the physical connectivity.... like the vlan on the switch and the switchport is not shut down or in an errordisable state.
This is the first few steps I would take and then replace the cable.
Thanks,
Kimberly
05-31-2012 12:00 AM
Hi,
Check the cable, check that its a straight through and not a X-over if its going to a switch.
Check the switches port has been brought up and check that speed and duplex match on both the ASA and the Switch.
Cheers,
Rich
02-06-2013 12:38 PM
I had this problem today. Ended up being that the man0/0 interface was administratively shut down in the system context. So not only does it have to be enabled in the context that you allocate the interface to, but it needs to be enabled in the system context as well.
I was pulling out my hair!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide