Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA failover & "static" management address

I have configured a couple of ASA5510's as an active/standby pair and all is working well. I have a bunch of ASA's that I manage and as a practice, I don't usually configure or connect the management interfaces. I just connect to them via one of the data interfaces. However, while I was playing around with the failover pair in the lab I lost connectivity to the primary unit (don't ever let your unconfigured standby unit come up BEFORE you issue the failover command on the primary unit!). This made me think that I might want to configure management interfaces.

Ideally, the management interfaces would have "static" addresses. They would not be monitored interfaces and the management IP address would not change when failover occurs. In other words, if the secondary/standby has a management IP address of it STILL has a management address of when it becomes secondary/active.

I tried to make this work by assigning different IP addresses to the m0/0 interfaces on each ASA without the "standby" address parameter. Of course, I have to do this on the active unit before I do it on the standby unit. If I do it on the standby unit first, that address gets overwritten when the "ip address" command is replicated from the primary unit. So now I have the two units each with a different IP addresses on the management interface. In this configuration, I can access the active unit management int but not the standby. A "show int m0/0" command on the standby tells me that the IP address is unassigned, but a "show run int m0/0" indicates that it is configured. Oh - and I have configured "no monitor-interface management"

So, I take it that it is not possible to do this? If not, I have to ask myself the same question I did before - why bother connecting the management interface?

TIA - Jeff


Re: ASA failover & "static" management address

The active and standby ip's need to be set on all interfaces including the management-only. Sorry!

You could always use the management interface for actual traffic if you need to or as your failover link.

The interface was created to provide an out of band type of management for the ASA. Maybe you have an isolated net just for management. Or you just don't want the extra traffic going over an interface that is carrying real traffic. Can also be another way to access if anything where to happen to your inside inf or where you normally manage it from.



Re: ASA failover & "static" management address

The management interface is provided to:

> help you start off your ASA configuration/ASDM easily and quickly...(DHCP etc. filter 'allow' by default etc.)

> Dedicate an interface for Out of Band (OOB) management. This depends on your security policy/compliance requirements.

However the scenario you describe is not possible with failover. If you are not 'monitoring' an interface you can skip the secondary IP address on it (it will work fine without it) however you won't be able to connect to the secondary box using the mgmt. interface. The best practice is to configure both active/standby. So that you can connect to both units (which is sometimes good to troubleshoot).

You are never supported to enter any configuration commands on the standby unit. And any changes you make the the active are automatically replicated to the standby, so its not possible to assign two different IPs.

Whichever unit is active it will take the first IP and vice versa.

Please rate if helpful.