Just looking for some advice on this issue we are having. We have an active/standby 5520 setup on our network. Our network is being monitored by a remote server via a VPN connection. The monitoring server can reach everything in our network except the standby ASA inside interface address. It looks like the packets are getting to the standby unit but but then being dropped. Is there some trick to getting this to work? We may have a configuration issue but I'm trying to understand if/how this is possible. We are just trying to monitor the up/down status via ICMP.
You're most likely hitting an asymmetric routing issue. The standby unit may be trying to reply via its outside interface but that will fail since it is only a standby peer for the VPN.
The way to do this is to use the management interface and put a static route for the reply traffic from the management interface that will force it back through the Active unit's inside interface. You may also need a route on the primary unit telling it that the management subnet is reachable via an inside gateway - depending on your setup.
Thank you both. It looks like what Marvin has suggested is what is occurring. We will look into using the management interface for monitoring.
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
