Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
427
Views
0
Helpful
1
Replies

Interface Management for ASA Redundancy

fara.rhea
Level 1
Level 1

‎02-07-2013 12:29 AM - edited ‎03-11-2019 05:57 PM

Guys ..

Do you have any idea / experience with ASA redundanci (failover active / active, failover active / standby). How about the management ?

What is the best practice to manage the ASA (first ASA and secondary ASA) ?

Can we use the interface management ? If use the interface management, how about the routing for interface management ?

As far as i know :

1. Interface management doesn't have separate routing engine in ASA

2. Interface management will have the same ip in first ASA and secondary ASA

CMIIW,

BR

Fara

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎02-07-2013 12:55 AM

Hi,

In a Failover enviroment the Management interface should pretty much be configured the same way as the actual Data interfaces. Though naturally you can limit the interface to only handle Management traffic and not pass Data.

So basically you configure the Management interface with

  • Primary interface IP address and Standby IP address

Primary interface IP address will always (or pretty much always) be the IP address you will connect to when configuring the whole Failover pair. This is because doing configurations on Standby unit wont replicate the configurations to the Primary unit.

In the event of Failover ofcourse the old Standby unit becomes Active and inherits the Primary interface IP address so the IP address for Management never really changes.

You should configure the Management interfaces on both ASA units so that the Management interfaces have L2 connection/segment between them. Just like all the Data interfaces.

To give you a simple example of one of our ASAs Management interface configuration

interface Management0/0

description Management

nameif management

security-level 100

ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2

management-only

In the above example the IP 10.1.1.1 is the IP address used to connect to the ASA Failover Pair and configure it. The Standby IP address is the IP to connect to the unit that is Stanby at that moment. But you dont really configure the Standby device unless in some specific situations (or atleast thats how its been in my case)

Naturally you can connect to the Standby unit to issue show commands if you need.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card