ASA management Interface

battanc · ‎03-03-2014

Two ASA-5510 in failover.

I have configured the Management Interfaces, connected to a separate VLAN, thinking that the IP address of this Interface is tied to the "physical unity.

That is: Primary has allways 192.168.0.1 and Secondary has allways 192.168.0.2

!

interface Management0/0

nameif MANAGEMENT

security-level 100

ip address 192.168.0.1 255.255.255.0

management-only

!

Differently from the failover Interfaces, where the IP address is tied to the "role": the active unity has always 172.27.252.1 and the stand-by unity has alway 172.27.252.2

Or at least it was so, up to some version ago ...

!

interface Ethernet0/1

nameif INSIDE

security-level 100

ip address 172.27.252.1 255.255.255.240 standby 172.27.252.2

!

Now (9.1.4) I see that ALSO the management IP "move" together with the role.

And I can not set two IP address separately.

And this complicate the management of the two units...

Is this an issue of my config or and there some way to fix this problem ?

Best regards,

Claudio

Marvin Rhoads · ‎03-04-2014

In your example above the first section showing a management interface configuration will result in the standby unit of an HA pair having no address on its management interface. The configuration synchronization includes the management interface configuration.

If you need separate direct IP reachability of the management interface, you should set it up just like your inside interface address is setup - with a standby address designated.