Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
506
Views
0
Helpful
4
Replies

Management Interface

Go to solution
dvanhaaren
Level 1
Level 1

‎08-22-2008 09:35 AM - edited ‎03-09-2019 09:19 PM

I have 2 ASA 5550's in active/standby configuration. The customer wants to put some sort of 3rd party monitoring device on the outside of the ASAs. They need to monitor both ASA's at the same time. Can the management interface be given a different address on either box.

Example:

ASA 1 192.168.1.1

ASA 2 192.168.1.2

We're running 7.1(2)72

Thanks

David

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to dvanhaaren

‎08-24-2008 11:01 AM

The standby device is never used by the clients themselves. Whichever unit is 'Active' it starts replying to the 'Active' IP address and the 'Standby' unit takes over the 'Standby' IP Address. However you can telnet/snmp to either IP address. And this should fulfill your goal.

There are some caveats tough, e.g. if the Management Machine is reachable to the ASA via a dynamic routing protocol then the standby unit will not have those dynamic routes in its routing table. This will need some special workarounds. Other than that, you can connect to the standby unit anytime you want. However its not recommended/supported to make any changes on the standby unit. Monitoring is OK tough.

Regards

Farrukh

View solution in original post

0 Helpful
4 Replies 4

Go to solution
rmeans
Level 3
Level 3

‎08-22-2008 10:40 AM

Each device (active or standby) interface (management, outside, inside, etc) has a unique IP address. You can access and monitor each IP address or interface uniquely. If the customer has a 3rd party monitoring device outside the firewall, just have the monitoring device monitor the outside interface.

If you decide to move forward with using the managment interface, issuing the following command will assign IP addresses to each ASA (active/standby)

interface management0/0

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

0 Helpful

Go to solution
dvanhaaren
Level 1
Level 1
In response to rmeans

‎08-22-2008 10:54 AM

I'm a little confused. I thought the active config was copied over to the standby ASA, making the configs identical. Does the "standby" command give the interface on the standby ASA a different address until failover? If so, are the addresses exchanged on failover to give the primary the standby addressing?

David

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to dvanhaaren

‎08-24-2008 11:01 AM

The standby device is never used by the clients themselves. Whichever unit is 'Active' it starts replying to the 'Active' IP address and the 'Standby' unit takes over the 'Standby' IP Address. However you can telnet/snmp to either IP address. And this should fulfill your goal.

There are some caveats tough, e.g. if the Management Machine is reachable to the ASA via a dynamic routing protocol then the standby unit will not have those dynamic routes in its routing table. This will need some special workarounds. Other than that, you can connect to the standby unit anytime you want. However its not recommended/supported to make any changes on the standby unit. Monitoring is OK tough.

Regards

Farrukh

0 Helpful

Go to solution
dvanhaaren
Level 1
Level 1
In response to Farrukh Haroon

‎08-25-2008 03:56 AM

Thanks Farrukh, I think I understand, we'll give it a shot and see what happens.

David

0 Helpful
Customers Also Viewed These Support Documents