ASA Management Interface Issue

c.tabassum · ‎02-14-2012

Hi All,

I am having issues with the ASA 5510 management interface.

I can't communicate with this interface. It is showing DOWN/DWON evenif I type NO SHUT several times.

My existing config is as follows

our-asa-01# sh run

: Saved

:

ASA Version 7.2(5)

!

hostname our-asa-01

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.2 255.255.255.0

!

interface Ethernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/2

nameif pro

security-level 100

ip address 10.10.10.2 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

duplex full

nameif management

security-level 0

ip address 10.10.99.11 255.255.255.0

management-only

!

boot system disk0:/asa725-k8.bin

no ftp mode passive

dns server-group DefaultDNS

domain-name tmi-our.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any any eq https

access-list outside_access_in extended deny ip any any

access-list management_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu production 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-525.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (pro) 1 0.0.0.0 0.0.0.0

no threat-detection statistics tcp-intercept

access-group outside_access_in in interface outside

access-group management_access_in in interface management

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route pro 172.16.0.0 255.255.255.0 10.10.10.1 1

route management 0.0.0.0 0.0.0.255 10.10.99.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

http server enable

http 10.10.99.100 255.255.255.255 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 10.10.99.0 255.255.255.0 management

ssh timeout 30

ssh version 2

console timeout 30

management-access management

tftp-server management 10.10.99.100 tftp://10.10.99.100/

username manager password w8DyJk5xISyQAabZ encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:953f4b1927ba125e6e585da372f0b0df

: end

our-asa-01# sh int ip br

Interface IP-Address OK? Method Status Protocol

Ethernet0/0 x.x.x.2 YES CONFIG up up

Ethernet0/1 unassigned YES unset administratively down up

Ethernet0/2 10.10.10.2 YES CONFIG up up

Ethernet0/3 unassigned YES unset administratively down up

Internal-Control0/0 127.0.1.1 YES unset up up

Internal-Data0/0 unassigned YES unset up up

Management0/0 10.10.99.11 YES manual down down

our-asa-01# sh int m0/0

Interface Management0/0 "management", is down, line protocol is down

Hardware is i82557, BW 100 Mbps

Full-Duplex, Auto-Speed

MAC address c84c.75ea.2bc7, MTU 1500

IP address 10.10.99.11, subnet mask 255.255.255.0

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

0 input reset drops, 0 output reset drops

input queue (curr/max packets): hardware (0/0) software (0/0)

output queue (curr/max packets): hardware (0/0) software (0/0)

Traffic Statistics for "management":

0 packets input, 0 bytes

0 packets output, 0 bytes

0 packets dropped

1 minute input rate 0 pkts/sec, 0 bytes/sec

1 minute output rate 0 pkts/sec, 0 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 0 pkts/sec, 0 bytes/sec

5 minute output rate 0 pkts/sec, 0 bytes/sec

5 minute drop rate, 0 pkts/sec

our-asa-01# ping 10.10.99.11

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.99.11, timeout is 2 seconds:

???

Success rate is 0 percent (0/3)

our-asa-01# ping

Interface: management

Target IP address: 10.10.99.11

Repeat count: [5]

Datagram size: [100]

Timeout in seconds: [2]

Extended commands [n]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.99.11, timeout is 2 seconds:

Error: management interface is shutdown

Success rate is 0 percent (0/1)

varrao · ‎02-14-2012

Hi Chamon,

Couple of things to chcek:

First make sure the connectivity is correct and the cables are fine

Second, if you want to pass normal traffic through the management interface, then you would need to go into the management interface and issue the command "no management-only".

Let me know how it goes.

Thanks,

Varun

Thanks,
Varun Rao

c.tabassum · ‎02-15-2012

Hi Varun,

Thanks for your reply.

The cable is connected properly. My goal is to use the Management interface for management purpose only.

I also tried to put "no management-only" command to see the difference but I did not find anything yet.

The interface is showing STATUS DOWN, which is similar to Administative Down.

Management0/0 10.10.99.11 YES manual down down

We need to find a solution to make it active otherwise I don't think this will work again.

Kimberly Adams · ‎02-15-2012

Chamon,

What is this interface connected to? Typically when you see a down down, then I would first look for Layer 1 connectivity first.... checking the physical connectivity.... like the vlan on the switch and the switchport is not shut down or in an errordisable state.

This is the first few steps I would take and then replace the cable.

Thanks,

Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.

r_j_gale · ‎05-31-2012

Hi,

Check the cable, check that its a straight through and not a X-over if its going to a switch.

Check the switches port has been brought up and check that speed and duplex match on both the ASA and the Switch.

Cheers,

Rich

keithayates · ‎02-06-2013

I had this problem today. Ended up being that the man0/0 interface was administratively shut down in the system context. So not only does it have to be enabled in the context that you allocate the interface to, but it needs to be enabled in the system context as well.

I was pulling out my hair!