04-26-2023 04:30 AM
Hi all,
I have two ASA FirePower-2140 in Active/Standby Configuration.
I need to configure one IP addres for management in FirePower-1 and other distinct IP address for management in FirePower-2 because I need to access both devices independently via HTTP and SSH. So, I need this configuration:
FirePower-2140-ASA-1# show running-config interface management 1/1
!
interface Management1/1
management-only
nameif management
security-level 100
ip address 10.140.7.65 255.255.255.128
FirePower-2140-ASA-2# show running-config interface management 1/1
!
interface Management1/1
management-only
nameif management
security-level 100
ip address 10.140.7.165 255.255.255.128
FirePower-2140-ASA#
However, due to config syncronization from Active to Standby device, management IP address for FirePower-2140-ASA-2 change to management IP address configured in FirePower-2140-ASA-1. In addition, is not possible to configure a standby IP addres for managemente interface because both IPs are in different networks.
Is there any way to avoid this issue?
Solved! Go to Solution.
04-26-2023 05:17 AM
I have idea here it can work for you
Use two interface one for each subnet, so even if the config is sync you can reach the Asa that have right subnet.
04-26-2023 04:37 AM
Why do you want to do this? What is your end goal by having a management IP in a different subnet on the standby unit? When using the same interface there is no way around it. Also, you should not be managing the ASAs separately when they are in HA configuration as this will put the configuration out of sync and cause issues.
Optionally, you could configure a second interface with an IP and standby IP in a different subnet and manage the ASA via this interface. This is not recommended though.
04-26-2023 04:47 AM
Different subnet for management interface? Why you config it in this way?
04-26-2023 04:55 AM
Hi Marius,
The main reason is due to network design limitation. We have two different management networks, one in a data center (10.140.7.0/25) and the other (10.140.7.128/25) in a different data center location.
Devices in both networks can comunicate one with other via different gateways. For example, gateway for 10.140.7.0/25 network is 10.140.7.1 and gateway for 10.140.7.128/25 is 10.140.7.129. So, as you can conclude, is necessary that FirePower-1 have configured 10.140.7.1 for gateway management and FirePower-2 have configured 10.140.7.129 for gateway management.
04-26-2023 05:11 AM
If you do not have L2 connectivity between the two sites then an ASA active/standby HA setup is probably not the way you should go. Could you describe your network in more detail and what your end goal or expected result is?
04-26-2023 05:17 AM
I have idea here it can work for you
Use two interface one for each subnet, so even if the config is sync you can reach the Asa that have right subnet.
04-26-2023 05:36 AM
Hi,
Yes, It could be a possible solution. Not elegant but functional.
In addition, in my network design, I only have two links for data; one for inside and the other for outside. So, I think it doesn't make sense configure monitored managed interfaces for failover. For example, if management interface in FirePower-1 comes down is not neccesary to make failover to the standby device if data interfaces are up.
What is your oppinion about it?
04-26-2023 05:38 AM - edited 04-26-2023 05:39 AM
Sorry I was must mention that you need to not monitor both mgmt interfaces.
Thanks
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide