Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2219
Views
0
Helpful
5
Replies

How to fix mgmt interface ip in ASA failover from switching

kalyanChakravarthy
Level 1
Level 1

‎09-03-2018 03:22 AM - edited ‎02-21-2020 08:11 AM

Hello,

 

In ASA failover all interfaces whether they are monitored or not (using no monitor-interface)

will switch their ip addresses when  failover occurs or via 'failover active "command.

my question is :

Is there any possible way by which we can fix the mgmt ips' not to switch upon failover trigger

I feel mgmt ip should be fixed, no matter failover occurs or not. Its the primary identity attribute  of the device to access it so it shouldn't swapable .

 

----------------------------------------------------------------

This host: Secondary - Standby Ready
Active time: 3 (sec)
Interface outside (20.1.1.2): Normal (Monitored)
Interface inside (10.1.11.2): Normal (Monitored)
Interface mgmt (150.1.7.54): Normal (Not-Monitored)
Other host: Primary - Active
Active time: 45 (sec)
Interface outside (20.1.1.1): Normal (Monitored)
Interface inside (10.1.11.1): Normal (Monitored)
Interface mgmt (150.1.7.53): Normal (Not-Monitored)

 

Thanks in advance    

0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎09-03-2018 12:47 PM

Hopefully this information help you to understand Failover triggers

 

https://community.cisco.com/t5/security-documents/asa-interface-monitoring-in-failover-and-its-impact/ta-p/3144324

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

johnd2310
Level 8
Level 8

‎09-03-2018 04:49 PM

Hi,

There is no way to configure this on the  ASA. This is one weakness with the ASA. Hope Cisco can fix this. There should be certain configuration info (like device name, management address) that is not replicated across. I  should be able to name my firewalls DC1-Firewall and DC2-Firewall, and during failover, i should be able to tell which datacentre firewall is active

 

Thanks

John

**Please rate posts you find helpful**
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-03-2018 06:59 PM

If you configure the management interface separately on each member of the pair (i.e. don't use the standby parameter when setting up the management interface ip addresses), it should not swap when failover occurs.

 

Additionally you can change the device prompt to include the state (active or standby).

0 Helpful

Mohammed al Baqari
Level 11
Level 11

‎09-03-2018 10:09 PM

Put this command in. 'prompt hostname state priority'

It will append the state and priority to hostname so that you know where
you are once you login. It helps
0 Helpful

PhilippeBLAVIER2315
Level 1
Level 1
In response to Mohammed al Baqari

‎08-24-2020 07:18 AM

I confirm it works, untill you reload.

 

Did you test a reload on both units ?

 

I'm using version 9.12

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card