Hi,
Tested without "standby" IP in GNS3, with vASAs on version 9.14.1.
Came to the same conclusion as Philippe.
It works fine, even with failover, until standby unit is rebooted... because standby unit then overwrites its config with the active's (replication) upon boot, and you end up with the same MGT IP in both FWs...
I've found a way to have fixed/dedicated MGT IPs per FW.
It's not config based but more a "cable trick", here it is (it requires to have an extra interface, on top of management 0/0, free):
(all this is to be cfg'ed in active unit, which will be automatically replicated to standby unit)
no monitor-interface management 0/0
no monitor-interface Gi0/4 (for example)
give management 0/0 IP 10.0.0.1/24 - no standby IP
give Gi0/4 IP 10.1.0.1/24 - no standby IP
then in FW1:
CABLE/CONNECT mgt 0/0
DO NOT CABLE/CONNECT gi0/4
whereas in FW2:
DO NOT CABLE/CONNECT mgt 0/0
CABLE/CONNECT gi0/4
This way you have fixed/dedicated MGT via 10.0.0.1 in FW1 and via 10.1.0.1 in FW2.
If you go ahead with this, because the primary MGT IP will NOT "follow" the active unit anymore, I suggest you implement preempt in the FW you want to be primary.
Or, instruct people to always check which FW is the active unit before deploying any config and always deploy config in that one, not in the standby one.
Otherwise you might end up with config deployed in the standby unit, which will therefore never work as not replicated to the active one (replication only works active => standby).
Worse, you would therefore have unsync'ed configs between FWs...
This being said, in CLI the standby unit will complain if you try to apply cfg to it, in ASDM I'm not sure (I don't use ASDM as much).
