01-06-2013 11:29 PM - edited 03-11-2019 05:43 PM
hello,
I have a misanderstand about management interface configuration in cluster. So I have a cluster asa 5515X with management interface. i Would like to be able to connect to any of the member of my cluster on management interface, so i would like to fix a different ip on management interface on each of my node ip 92 and 91. I think it is the only way to make asa firmware update to access local flash on each node.
my config
interface GigabitEthernet0/1
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
description LAN/STATE Failover Interface
interface Management0/0
management-only
nameif management
security-level 100
ip address 172.16.100.92 255.255.255.0 standby 172.16.100.91
ospf cost 300
ospf priority 30
ospf network point-to-point non-broadcast
failover
failover lan unit primary
failover lan interface asa GigabitEthernet0/5
failover key *****
failover replication http
failover link asa GigabitEthernet0/5
failover interface ip asa 172.16.255.254 255.255.255.0 standby 172.16.255.253
no monitor-interface management
no monitor-interface Etherchannel
---------
As you can see and this is my second request I use OSpf for routing and with management-only on manangement0/0 the ip adress is redistribute on OSPF or with command "management-only" you can make routing, but the network is steal redistribute on ospf routing. I make route-map to exclude this interface but I think it should not be the normal way to do it.
route-map RM-select permit 10
match interface Classe1 Backbone97 Backbone98
!
route-map RM-select deny 20
match interface management DMZ
!
!
router ospf 1
router-id 172.16.97.92
network 172.16.97.0 255.255.255.0 area 0
network 172.16.98.0 255.255.255.0 area 0
area 0
log-adj-changes detail
redistribute connected route-map RM-select
interface Port-channel1.10
vlan 10
nameif Classe1
security-level 10
ip address 192.168.10.254 255.255.255.0
!
interface Port-channel1.97
vlan 97
nameif Backbone97
security-level 10
ip address 172.16.97.92 255.255.255.0
ospf cost 10
ospf retransmit-interval 3
ospf priority 2
ospf hello-interval 1
ospf message-digest-key 1 md5 *****
ospf authentication message-digest
!
interface Port-channel1.98
vlan 98
nameif Backbone98
security-level 10
ip address 172.16.98.92 255.255.255.0
ospf cost 20
ospf retransmit-interval 3
ospf priority 2
ospf hello-interval 1
ospf message-digest-key 1 md5 *****
ospf authentication message-digest
------------------------
Sorry for my english and thank's for your help.
Solved! Go to Solution.
01-08-2013 08:12 PM
Hello,
You already did that with this command:
interface Management0/0
management-only
nameif management
security-level 100
ip address 172.16.100.92 255.255.255.0 standby 172.16.100.91
You can now access the secondary unit attempting to ssh,telnet or ASDM to 100.91 and the active one at 100.92
is that normal that I need to make a route map to exclude management network in ospf to avoid that the routing service publish the management network.
The managment-only command is really picky so you got to be really carefull when you use this interface
You manage the ASA through the Management 0/0 interface on the ASA 5512-X through ASA 5555-X models. The Management 0/0 interface has the following characteristics:
•The IPS SSP software module and the ASA share the Management 0/0 interface; however, each has its own separate MAC addresses and IP addresses. You must configure the IPS IP address within the IPS operating system. However, you configure physical characteristics (such as enabling the interface) on the ASA.
So as you can see there is no restriction for that so yes it is normal,
Regards,
Remember to rate all of the helpful posts
01-08-2013 03:09 PM
no one have an idea ?
01-08-2013 04:58 PM
Hello,
Not sure I understand your query,
Is the problem that an OSPF neighorship is being created over the managment interface, is the problem that you cannot create an OSPF neigborship over this interface.
Are you supposed to filter this Subnet and is not being the case??? Let us know
Julio
01-08-2013 06:55 PM
I have 2 query :
How can I configure a diferent management ip on each member of my cluster node in a cluster.
is that normal that I need to make a route map to exclude management network in ospf to avoid that the routing service publish the management network
01-08-2013 08:12 PM
Hello,
You already did that with this command:
interface Management0/0
management-only
nameif management
security-level 100
ip address 172.16.100.92 255.255.255.0 standby 172.16.100.91
You can now access the secondary unit attempting to ssh,telnet or ASDM to 100.91 and the active one at 100.92
is that normal that I need to make a route map to exclude management network in ospf to avoid that the routing service publish the management network.
The managment-only command is really picky so you got to be really carefull when you use this interface
You manage the ASA through the Management 0/0 interface on the ASA 5512-X through ASA 5555-X models. The Management 0/0 interface has the following characteristics:
•The IPS SSP software module and the ASA share the Management 0/0 interface; however, each has its own separate MAC addresses and IP addresses. You must configure the IPS IP address within the IPS operating system. However, you configure physical characteristics (such as enabling the interface) on the ASA.
So as you can see there is no restriction for that so yes it is normal,
Regards,
Remember to rate all of the helpful posts
01-08-2013 10:22 PM
ok, thanks for the information about management-only. I hope that it could be less picky in next asa release.
I can connect in SSH on both management ip but I can't with ASDM. before I always test only with ASDM
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 172.16.100.0 255.255.255.0 management
telnet timeout 5
ssh 172.16.100.0 255.255.255.0 management
ssh timeout 5
ssh version 2
01-09-2013 06:17 AM
Hello,
Do you get any specific errors while connecting via ASDM??
Add the following
aaa authentication http console LOCAL
And give it a try
01-09-2013 01:13 PM
I have add aaa authtication http consol local but same error.
when i connect to 172.16.100.91 (standby ip on management) i have the error "could not open device 172.16.100.91"
01-09-2013 01:28 PM
From witch Ip add are you trying to connect??
Regards,
01-09-2013 01:52 PM
I update ASDM on both node and I can connet to both management ip with the new asdm. thank for your help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide