Management Interface

Answered Question
Aug 22nd, 2008

I have 2 ASA 5550's in active/standby configuration. The customer wants to put some sort of 3rd party monitoring device on the outside of the ASAs. They need to monitor both ASA's at the same time. Can the management interface be given a different address on either box.

Example:

ASA 1 192.168.1.1

ASA 2 192.168.1.2

We're running 7.1(2)72

Thanks

David

I have this problem too.
0 votes
Correct Answer by Farrukh Haroon about 8 years 3 months ago

The standby device is never used by the clients themselves. Whichever unit is 'Active' it starts replying to the 'Active' IP address and the 'Standby' unit takes over the 'Standby' IP Address. However you can telnet/snmp to either IP address. And this should fulfill your goal.

There are some caveats tough, e.g. if the Management Machine is reachable to the ASA via a dynamic routing protocol then the standby unit will not have those dynamic routes in its routing table. This will need some special workarounds. Other than that, you can connect to the standby unit anytime you want. However its not recommended/supported to make any changes on the standby unit. Monitoring is OK tough.

Regards

Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
rmeans Fri, 08/22/2008 - 10:40

Each device (active or standby) interface (management, outside, inside, etc) has a unique IP address. You can access and monitor each IP address or interface uniquely. If the customer has a 3rd party monitoring device outside the firewall, just have the monitoring device monitor the outside interface.

If you decide to move forward with using the managment interface, issuing the following command will assign IP addresses to each ASA (active/standby)

interface management0/0

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

dvanhaaren Fri, 08/22/2008 - 10:54

I'm a little confused. I thought the active config was copied over to the standby ASA, making the configs identical. Does the "standby" command give the interface on the standby ASA a different address until failover? If so, are the addresses exchanged on failover to give the primary the standby addressing?

David

Correct Answer
Farrukh Haroon Sun, 08/24/2008 - 11:01

The standby device is never used by the clients themselves. Whichever unit is 'Active' it starts replying to the 'Active' IP address and the 'Standby' unit takes over the 'Standby' IP Address. However you can telnet/snmp to either IP address. And this should fulfill your goal.

There are some caveats tough, e.g. if the Management Machine is reachable to the ASA via a dynamic routing protocol then the standby unit will not have those dynamic routes in its routing table. This will need some special workarounds. Other than that, you can connect to the standby unit anytime you want. However its not recommended/supported to make any changes on the standby unit. Monitoring is OK tough.

Regards

Farrukh

dvanhaaren Mon, 08/25/2008 - 03:56

Thanks Farrukh, I think I understand, we'll give it a shot and see what happens.

David

Actions

This Discussion