ASA Management interface confusion

jkell · ‎07-28-2006

I'm running a pair of 5540s in active/active mode. The interfaces are setup such that g0/0 and g0/1 are outside/inside for context 1, and g0/2 and g0/3 are outside/inside for context 2. The management interface is used for LAN/stateful failover by the system context.

Initially, the management interfaces were simply connected through an L2 switch with point-to-point IPs. I wanted to be able to truly "manage" the ASAs this way, so I have added an SVI to the switch connecting the management interfaces in hopes of doing administration through their IPs.

The management subnet is x.x.x.64/29.

The primary ASA is x.x.x.66.

The secondary ASA is x.x.x.67.

The switch SVI is x.x.x.65.

I can ping both management interfaces from the switch, no issues there.

But I cannot establish ssh/asdm sessions with these IPs. I can only do this from the inside interfaces of the individual contexts as before.

Is there a trick to being able to actually "manage" the ASA through the "management" interface?

chrisbicm · ‎07-28-2006

First off... Cisco suggests that you do not use the managment interface as your Failover link. Secondly I am fairly certain the reason that you can "manage" the ASA through the "Managment" interface is because it is being used as your failover link and therefore is not used for managment anymore. I am not certain that this is the case, but it would make sense to me. You could always set up telnet for the ASA to allow your computer to access the configuration information if you wanted to.

Chris