Solved: Re: Manage Interface Configuration Reservation in Active/Standy - ASA

4kalak4 · ‎04-26-2023

Hi all,

I have two ASA FirePower-2140 in Active/Standby Configuration.

I need to configure one IP addres for management in FirePower-1 and other distinct IP address for management in FirePower-2 because I need to access both devices independently via HTTP and SSH. So, I need this configuration:

FirePower-2140-ASA-1# show running-config interface management 1/1
!
interface Management1/1
management-only
nameif management
security-level 100
ip address 10.140.7.65 255.255.255.128

FirePower-2140-ASA-2# show running-config interface management 1/1
!
interface Management1/1
management-only
nameif management
security-level 100
ip address 10.140.7.165 255.255.255.128
FirePower-2140-ASA#

However, due to config syncronization from Active to Standby device, management IP address for FirePower-2140-ASA-2 change to management IP address configured in FirePower-2140-ASA-1. In addition, is not possible to configure a standby IP addres for managemente interface because both IPs are in different networks.

Is there any way to avoid this issue?

MHM Cisco World · ‎04-26-2023

I have idea here it can work for you

Use two interface one for each subnet, so even if the config is sync you can reach the Asa that have right subnet.

View solution in original post

Marius Gunnerud · ‎04-26-2023

Why do you want to do this? What is your end goal by having a management IP in a different subnet on the standby unit? When using the same interface there is no way around it. Also, you should not be managing the ASAs separately when they are in HA configuration as this will put the configuration out of sync and cause issues.

Optionally, you could configure a second interface with an IP and standby IP in a different subnet and manage the ASA via this interface. This is not recommended though.

--
Please remember to select a correct answer and rate helpful posts

MHM Cisco World · ‎04-26-2023

Different subnet for management interface? Why you config it in this way?

4kalak4 · ‎04-26-2023

Hi Marius,

The main reason is due to network design limitation. We have two different management networks, one in a data center (10.140.7.0/25) and the other (10.140.7.128/25) in a different data center location.

Devices in both networks can comunicate one with other via different gateways. For example, gateway for 10.140.7.0/25 network is 10.140.7.1 and gateway for 10.140.7.128/25 is 10.140.7.129. So, as you can conclude, is necessary that FirePower-1 have configured 10.140.7.1 for gateway management and FirePower-2 have configured 10.140.7.129 for gateway management.

Marius Gunnerud · ‎04-26-2023

If you do not have L2 connectivity between the two sites then an ASA active/standby HA setup is probably not the way you should go. Could you describe your network in more detail and what your end goal or expected result is?

Is one DC active and the other a disaster recovery site?
if both are active does one site use the other for access to all other network resources / users?
Do you have the ability to set up a dedicated L2 connection for the ASA HA...if this is an absolute requirement?

--
Please remember to select a correct answer and rate helpful posts

MHM Cisco World · ‎04-26-2023

I have idea here it can work for you

Use two interface one for each subnet, so even if the config is sync you can reach the Asa that have right subnet.

4kalak4 · ‎04-26-2023

Hi,

Yes, It could be a possible solution. Not elegant but functional.

In addition, in my network design, I only have two links for data; one for inside and the other for outside. So, I think it doesn't make sense configure monitored managed interfaces for failover. For example, if management interface in FirePower-1 comes down is not neccesary to make failover to the standby device if data interfaces are up.

What is your oppinion about it?

MHM Cisco World · ‎04-26-2023

Sorry I was must mention that you need to not monitor both mgmt interfaces.

Thanks

MHM