Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2726
Views
0
Helpful
3
Replies

ASA5510 static routes for management interface not working

jkeeffe
Level 2
Level 2

‎03-31-2011 07:30 AM - edited ‎03-11-2019 01:15 PM

We have several pairs of ASA5510s in failover A/P mode, some running 8.3(2) and others running 8.4(1).

e0/0 = outside

e0/1 = inside

m0/0 = management

The problem we're having is we can't get anything to route out of the management interface unless we put in a static route at least to the subnet level. For example, we want syslog traffic to exit out m0/0 to our syslog server 10.71.211.79. Our 'gateway of last resort' points to the next hop out e0/0, and a second static route with a higher metric and a more distinct network space is for m0/0 as in:

route outside 0.0.0.0 0.0.0.0 192.168.49.129 1
route management 10.72.0.0 255.255.0.0 10.72.232.94 10

This doesn't work, and ASDM loggin gives this error:

".....Routing failed to locate next hop for udp from NP Identity Ifc:10.72.232.89/514 to management:10.72.211.79/514"

If I put in a more granular subnet route, or a host route of the syslog server it works, such as:

route management 10.72.211.0 255.255.255.0 10.72.232.94 10   <------------- this works

route management 10.72.211.79 255.255.255.255 10.72.232.94 10   <------------- this works too

Why won't a static route for 10.71.0.0 255.255.0.0 work in this case?

We are going to have numerous hosts access and be sent messages though the management interface of these ASAs, and it would be very burdonsome to have to add a host, or even a subnet, route for every one. I've removed all static routes and tried to rely on EIGRP, but that doesn't work. I also had to put 'passive-interface management' under the EIGRP for this to work.

Here is the pertinant ASA config concerning syslog, routing, and interfaces:

interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.49.140 255.255.255.128 standby 192.168.49.141
!
interface Ethernet0/1
nameif inside
security-level 100
ip address xxx.xxx.xxx.xxx 255.255.255.128 standby xxx.xxx.xxx.xxx
!
interface Management0/0
nameif management
security-level 100
ip address 10.72.232.89 255.255.255.248 standby 10.72.232.90
management-only

logging enable
logging timestamp
logging trap informational
logging asdm informational
logging host management 10.72.211.79

router eigrp 1
no auto-summary
network 10.72.0.0 255.255.0.0
network xxx.xxx.0.0 255.255.0.0
passive-interface management

route outside 0.0.0.0 0.0.0.0 192.168.49.129 1
route management 10.72.0.0 255.255.0.0 10.72.232.94 10  <-------- this alone does not work
route management 10.72.211.79 255.255.255.255 10.72.232.94 10  <------- adding this host route works
http server enable
http 192.168.0.0 255.255.0.0 outside
http 10.72.0.0 255.255.0.0 management

Labels:
0 Helpful
3 Replies 3

andrew.prince
Level 10
Level 10

‎04-01-2011 08:50 AM

That is by design - configuring a static route for a class B network is not management, that's routing.

If you want to use the interface as a normal interface but for management routes only then use "no management-only"

HTH>

0 Helpful

jkeeffe
Level 2
Level 2
In response to andrew.prince

‎04-01-2011 09:15 AM

I changed the management interface to 'no management-only' and this did not fix the problem.

Thanks for pointing out that a static for a Class B wouldn't work, but why then would the static for the subnet work?

See my arrows <-------- in the first part of the message to see what I mean by a subnet static - the subnet for the host that's trying to ping the management interface.

0 Helpful

andrew.prince
Level 10
Level 10
In response to jkeeffe

‎04-01-2011 10:32 AM

I honestly have no idea why it would work with a specific /32 host route.  Perhaps a bug?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card