Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA Failover: Maintain management IPs

Hi all,

I'm trying to work out if it's possible on ASAs to have the devices failover, but have the management IP not failover. So as an example: -

PRE FAILOVER

InterfaceASA 1
ASA2
Inside192.168.1.1/24192.168.1.2/24
Outside192.168.2.1/24192.168.2.2/24
Management0/010.1.1.1/2410.2.1.1/24

POST FAILOVER

InterfaceASA 1
ASA 2
Inside192.168.1.2/24192.168.1.1/24
Outside192.168.2.2/24192.168.2.1/24
Management0/010.1.1.1/2410.2.1.1/24

Is it possible to do failover this way? I've tried disabling Man0/0 as a monitored-interface, but it makes no difference.

Thanks!

Everyone's tags (4)
4 REPLIES
Red

ASA Failover: Maintain management IPs

Hi Staurt,

That's not possible, because whatever IP you give it to your management interface, it would be overwriiten with the one that you have on Primary firewalls when the replication happens. So the setup that you are looking for might not be possible.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
Community Member

ASA Failover: Maintain management IPs

I had expected this to be the case unfortunately. Seems like a bit of an oversight really, as management access that you can't have unless a device is in a certain mode, and may change, isn't much like management access to me.

Red

ASA Failover: Maintain management IPs

No you can access the management interface of the standby firewall, even if it is in standby state. I am sorry but Ia m not really sure about your requirement and would suggest if you can let me know.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
Community Member

ASA Failover: Maintain management IPs

We would like the ASAs to be monitored and reachable separately. If the management IP switches over, that negates monitoring of the IP.

Ideally we would like the firewall management IPs to be in completely different subnets, which looks impossible with the way they currently work. An example is exactly like my first post.

396
Views
0
Helpful
4
Replies
CreatePlease to create content