ASA Failover: Maintain management IPs

Unanswered Question
May 14th, 2012
User Badges:

Hi all,


I'm trying to work out if it's possible on ASAs to have the devices failover, but have the management IP not failover. So as an example: -


PRE FAILOVER


InterfaceASA 1
ASA2
Inside192.168.1.1/24192.168.1.2/24
Outside192.168.2.1/24192.168.2.2/24
Management0/010.1.1.1/2410.2.1.1/24


POST FAILOVER


InterfaceASA 1
ASA 2
Inside192.168.1.2/24192.168.1.1/24
Outside192.168.2.2/24192.168.2.1/24
Management0/010.1.1.1/2410.2.1.1/24






Is it possible to do failover this way? I've tried disabling Man0/0 as a monitored-interface, but it makes no difference.


Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
varrao Mon, 05/14/2012 - 04:32
User Badges:
  • Red, 2250 points or more

Hi Staurt,


That's not possible, because whatever IP you give it to your management interface, it would be overwriiten with the one that you have on Primary firewalls when the replication happens. So the setup that you are looking for might not be possible.



Thanks,
Varun Rao
Security Team,
Cisco TAC

showlette Mon, 05/14/2012 - 04:57
User Badges:

I had expected this to be the case unfortunately. Seems like a bit of an oversight really, as management access that you can't have unless a device is in a certain mode, and may change, isn't much like management access to me.

varrao Mon, 05/14/2012 - 04:59
User Badges:
  • Red, 2250 points or more

No you can access the management interface of the standby firewall, even if it is in standby state. I am sorry but Ia m not really sure about your requirement and would suggest if you can let me know.



Thanks,
Varun Rao
Security Team,
Cisco TAC

showlette Mon, 05/14/2012 - 05:04
User Badges:

We would like the ASAs to be monitored and reachable separately. If the management IP switches over, that negates monitoring of the IP.


Ideally we would like the firewall management IPs to be in completely different subnets, which looks impossible with the way they currently work. An example is exactly like my first post.

Actions

This Discussion

Related Content