Solved: management interface in cluster Asa

fcorfdir · ‎01-06-2013

hello,

I have a misanderstand about management interface configuration in cluster. So I have a cluster asa 5515X with management interface. i Would like to be able to connect to any of the member of my cluster on management interface, so i would like to fix a different ip on management interface on each of my node ip 92 and 91. I think it is the only way to make asa firmware update to access local flash on each node.

my config

interface GigabitEthernet0/1

channel-group 1 mode active

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

channel-group 1 mode active

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

description LAN/STATE Failover Interface

interface Management0/0

management-only

nameif management

security-level 100

ip address 172.16.100.92 255.255.255.0 standby 172.16.100.91

ospf cost 300

ospf priority 30

ospf network point-to-point non-broadcast

failover

failover lan unit primary

failover lan interface asa GigabitEthernet0/5

failover key *****

failover replication http

failover link asa GigabitEthernet0/5

failover interface ip asa 172.16.255.254 255.255.255.0 standby 172.16.255.253

no monitor-interface management

no monitor-interface Etherchannel

---------

As you can see and this is my second request I use OSpf for routing and with management-only on manangement0/0 the ip adress is redistribute on OSPF or with command "management-only" you can make routing, but the network is steal redistribute on ospf routing. I make route-map to exclude this interface but I think it should not be the normal way to do it.

route-map RM-select permit 10

match interface Classe1 Backbone97 Backbone98

!

route-map RM-select deny 20

match interface management DMZ

!

router ospf 1

router-id 172.16.97.92

network 172.16.97.0 255.255.255.0 area 0

network 172.16.98.0 255.255.255.0 area 0

area 0

log-adj-changes detail

redistribute connected route-map RM-select

interface Port-channel1.10

vlan 10

nameif Classe1

security-level 10

ip address 192.168.10.254 255.255.255.0

!

interface Port-channel1.97

vlan 97

nameif Backbone97

security-level 10

ip address 172.16.97.92 255.255.255.0

ospf cost 10

ospf retransmit-interval 3

ospf priority 2

ospf hello-interval 1

ospf message-digest-key 1 md5 *****

ospf authentication message-digest

!

interface Port-channel1.98

vlan 98

nameif Backbone98

security-level 10

ip address 172.16.98.92 255.255.255.0

ospf cost 20

ospf retransmit-interval 3

ospf priority 2

ospf hello-interval 1

ospf message-digest-key 1 md5 *****

ospf authentication message-digest

------------------------

Sorry for my english and thank's for your help.

Julio Carvajal · ‎01-08-2013

Hello,

You already did that with this command:

interface Management0/0

management-only

nameif management

security-level 100

ip address 172.16.100.92 255.255.255.0 standby 172.16.100.91

You can now access the secondary unit attempting to ssh,telnet or ASDM to 100.91 and the active one at 100.92

is that normal that I need to make a route map to exclude management network in ospf to avoid that the routing service publish the management network.

The managment-only command is really picky so you got to be really carefull when you use this interface

Management 0/0 Interface on the ASA 5500-X Series

#

You manage the ASA through the Management 0/0 interface on the ASA 5512-X through ASA 5555-X models. The Management 0/0 interface has the following characteristics:

#

•No through traffic support

#

•No subinterface support

#

•No priority queue support

#

•No multicast MAC support

#

•The IPS SSP software module and the ASA share the Management 0/0 interface; however, each has its own separate MAC addresses and IP addresses. You must configure the IPS IP address within the IPS operating system. However, you configure physical characteristics (such as enabling the interface) on the ASA.

So as you can see there is no restriction for that so yes it is normal,

Regards,

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

fcorfdir · ‎01-08-2013

no one have an idea ?

Julio Carvajal · ‎01-08-2013

Hello,

Not sure I understand your query,

Is the problem that an OSPF neighorship is being created over the managment interface, is the problem that you cannot create an OSPF neigborship over this interface.

Are you supposed to filter this Subnet and is not being the case??? Let us know

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

fcorfdir · ‎01-08-2013

I have 2 query :

How can I configure a diferent management ip on each member of my cluster node in a cluster.

is that normal that I need to make a route map to exclude management network in ospf to avoid that the routing service publish the management network

Julio Carvajal · ‎01-08-2013

Hello,

You already did that with this command:

interface Management0/0

management-only

nameif management

security-level 100

ip address 172.16.100.92 255.255.255.0 standby 172.16.100.91

You can now access the secondary unit attempting to ssh,telnet or ASDM to 100.91 and the active one at 100.92

is that normal that I need to make a route map to exclude management network in ospf to avoid that the routing service publish the management network.

The managment-only command is really picky so you got to be really carefull when you use this interface

Management 0/0 Interface on the ASA 5500-X Series

#

You manage the ASA through the Management 0/0 interface on the ASA 5512-X through ASA 5555-X models. The Management 0/0 interface has the following characteristics:

#

•No through traffic support

#

•No subinterface support

#

•No priority queue support

#

•No multicast MAC support

#

•The IPS SSP software module and the ASA share the Management 0/0 interface; however, each has its own separate MAC addresses and IP addresses. You must configure the IPS IP address within the IPS operating system. However, you configure physical characteristics (such as enabling the interface) on the ASA.

So as you can see there is no restriction for that so yes it is normal,

Regards,

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

fcorfdir · ‎01-08-2013

ok, thanks for the information about management-only. I hope that it could be less picky in next asa release.

I can connect in SSH on both management ip but I can't with ASDM. before I always test only with ASDM

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 172.16.100.0 255.255.255.0 management

telnet timeout 5

ssh 172.16.100.0 255.255.255.0 management

ssh timeout 5

ssh version 2

Julio Carvajal · ‎01-09-2013

Hello,

Do you get any specific errors while connecting via ASDM??

Add the following

aaa authentication http console LOCAL

And give it a try

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

fcorfdir · ‎01-09-2013

I have add aaa authtication http consol local but same error.

when i connect to 172.16.100.91 (standby ip on management) i have the error "could not open device 172.16.100.91"

Julio Carvajal · ‎01-09-2013

From witch Ip add are you trying to connect??

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

fcorfdir · ‎01-09-2013

I update ASDM on both node and I can connet to both management ip with the new asdm. thank for your help