I have configured a couple of ASA5510's as an active/standby pair and all is working well. I have a bunch of ASA's that I manage and as a practice, I don't usually configure or connect the management interfaces. I just connect to them via one of the data interfaces. However, while I was playing around with the failover pair in the lab I lost connectivity to the primary unit (don't ever let your unconfigured standby unit come up BEFORE you issue the failover command on the primary unit!). This made me think that I might want to configure management interfaces.
Ideally, the management interfaces would have "static" addresses. They would not be monitored interfaces and the management IP address would not change when failover occurs. In other words, if the secondary/standby has a management IP address of 184.108.40.206 it STILL has a management address of 220.127.116.11 when it becomes secondary/active.
I tried to make this work by assigning different IP addresses to the m0/0 interfaces on each ASA without the "standby" address parameter. Of course, I have to do this on the active unit before I do it on the standby unit. If I do it on the standby unit first, that address gets overwritten when the "ip address" command is replicated from the primary unit. So now I have the two units each with a different IP addresses on the management interface. In this configuration, I can access the active unit management int but not the standby. A "show int m0/0" command on the standby tells me that the IP address is unassigned, but a "show run int m0/0" indicates that it is configured. Oh - and I have configured "no monitor-interface management"
So, I take it that it is not possible to do this? If not, I have to ask myself the same question I did before - why bother connecting the management interface?
The active and standby ip's need to be set on all interfaces including the management-only. Sorry!
You could always use the management interface for actual traffic if you need to or as your failover link.
The interface was created to provide an out of band type of management for the ASA. Maybe you have an isolated net just for management. Or you just don't want the extra traffic going over an interface that is carrying real traffic. Can also be another way to access if anything where to happen to your inside inf or where you normally manage it from.
> help you start off your ASA configuration/ASDM easily and quickly...(DHCP etc. filter 'allow' by default etc.)
> Dedicate an interface for Out of Band (OOB) management. This depends on your security policy/compliance requirements.
However the scenario you describe is not possible with failover. If you are not 'monitoring' an interface you can skip the secondary IP address on it (it will work fine without it) however you won't be able to connect to the secondary box using the mgmt. interface. The best practice is to configure both active/standby. So that you can connect to both units (which is sometimes good to troubleshoot).
You are never supported to enter any configuration commands on the standby unit. And any changes you make the the active are automatically replicated to the standby, so its not possible to assign two different IPs.
Whichever unit is active it will take the first IP and vice versa.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...