Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Configuration Failover with Management Interface

Hello,

I want configure failover (Active/Pasive) in ASA 5525X, with two ports failver LAN and failover stateful and a Management interface for every ASA. The ASA will be configured with EIGRP for routing. The ASA will be connected to Switch 6500 and the management interface too, but in a management VLAN. My question is how would be the routing in the ASA because I want manage the ASA from de same internal network, I mean that the ASA will receive traffic in the interface Inside from the network 172.16.X.X and also will receiver traffic for management in the interface management from the same network 172.16.X.X.

Thanks for the help.         

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

Re: Configuration Failover with Management Interface

Is that switch a L3 switch?

are you able to ping 172.18.10.41 from the LAN?  If you issue a traceroute from your PC to 172.18.10.41 what path does it take?

Because static routes have a lower administrative distance than EIGRP,  your static route will override your EIGRP process since it is routing  the entire 172.16.0.0/16 network.

Chances are that traffic is entering the  MGMT interface and since you now have the static route in place the return traffic is sent back out the correct interface (which is the MGMT interface).  Once you remove the static route then EIGRP routing takes over and return traffic is sent out the inside interface creating an asymmetric routing situation.

So you have a couple options.  You could enable TCP bypass (not recommended) which is a quick fix.  You could also give your PC a static IP and then configure static routes pointing out the managment interface, though this could start causing other connectivity issues for your PC.  Or you can setup a management network, which is what I recommend doing.  It is not that difficult or time consuming.  as I said you can have the management network inline, meaning that it travels across the same infrastructure as all other data traffic.  Just setup a new VLAN on the switch for MGMT and place the ASA interface in that VLAN as well as adding the management PCs to that same VLAN.

ofcourse this is a very simplified way of doing it, and you can get much more complicated with the design if you wish.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
10 REPLIES
VIP Green

Configuration Failover with Management Interface

When you say that you want the inside interface to be used for traffic and for management, do you mean management traffic for administering the ASA or are we talking logging information?

If you just want to manage the ASA using the inside interface IP then you just need to add the IP or subnet that you want to be able to configure the ASA into the SSH and / or HTTP configuration.

ssh 172.16.x.x 255.255.0.0 inside

http 172.16.x.x 255.255.0.0 inside

this is just allowing the full 172.16.x.x subnet to be able to manage the ASA device.  I suggest tightening this security hole by only specifying certain IPs or establish a seperate management subnet.

I have also assumed that all other configuration to manage the ASA are correctly configured and in place.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer

Configuration Failover with Management Interface

Hello Marius, I want that any traffic of management use the management interface in a management subnet 172.18.X.X/24, but I am not sure if this will cause a routing problem, because I will manage the ASA from the network 172.16.X.X/16 and the traffic to the inside interface is from the network 172.16.X.X/16.

Thanks.

VIP Green

Configuration Failover with Management Interface

I do not believe that this is possible.  You can only manage the interface which the management traffic enters.  The only exception is when using VPN.  In this case you need to add the command management-access command to be able to manage the device (the interface name is the interface IP you intend to use for device management).

there is no way around this unless you add a router between the ASA and your LAN that routes management traffic to the correct interface.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer

Configuration Failover with Management Interface

Thank you Marius for the help, so for manage the ASA by the management interface I need a network out of band.

VIP Green

Configuration Failover with Management Interface

Doesn't necessarily need to be OOB, but the management traffic needs to enter the management interface.  so your options are to either create an OOB management network or manipulate traffic on the switch (if possible) so that management traffic goes to the management interface.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer

Configuration Failover with Management Interface

I am sure that ASA receive the traffic in the management interface of ASA, also I create the static route: route management 172.16.X.X 255.255.0.0 172.18.10.1, in the begining this works but I erase this route because I am not sure if this could cause routing problems when the ASA route the traffic  to the network 172.16.X.X/16. The routing protocol running in the ASA ins EIGRP.

Thanks.

VIP Green

Configuration Failover with Management Interface

Without seeing your configuration, and if you are correct that management traffic is entering the management interface, then this is a routing problem.  It would seem that since you have no route pointing back out the management interface for the managment traffic the traffic is sent out the LAN interface.  since this causes an asymmetric routing the packet will be dropped by default.

You could try to configure tcp-bypass to get around this, but I strongly suggest that you create a management network for this purpose.

This link refers to ASA version 8.2 but the configuration applies to all versions.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer

Re: Configuration Failover with Management Interface

Hi Marius thanks for the help, I attach the configuration and a basic topology of implementation.

Thanks,

VIP Green

Re: Configuration Failover with Management Interface

Is that switch a L3 switch?

are you able to ping 172.18.10.41 from the LAN?  If you issue a traceroute from your PC to 172.18.10.41 what path does it take?

Because static routes have a lower administrative distance than EIGRP,  your static route will override your EIGRP process since it is routing  the entire 172.16.0.0/16 network.

Chances are that traffic is entering the  MGMT interface and since you now have the static route in place the return traffic is sent back out the correct interface (which is the MGMT interface).  Once you remove the static route then EIGRP routing takes over and return traffic is sent out the inside interface creating an asymmetric routing situation.

So you have a couple options.  You could enable TCP bypass (not recommended) which is a quick fix.  You could also give your PC a static IP and then configure static routes pointing out the managment interface, though this could start causing other connectivity issues for your PC.  Or you can setup a management network, which is what I recommend doing.  It is not that difficult or time consuming.  as I said you can have the management network inline, meaning that it travels across the same infrastructure as all other data traffic.  Just setup a new VLAN on the switch for MGMT and place the ASA interface in that VLAN as well as adding the management PCs to that same VLAN.

ofcourse this is a very simplified way of doing it, and you can get much more complicated with the design if you wish.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer

Re: Configuration Failover with Management Interface

Yes, is a L3 switch, when I made the tests the traceroute and the path was by the management interface, but sometimes didn't work. By the reason of lower administrative distance of static route I erase this route when the ASA get in production.

I will make the change that you suggest put a PC in the same VLAN of management, thanks a lot for the help Marius.

Regards.

243
Views
6
Helpful
10
Replies
CreatePlease login to create content