https://community.cisco.com/t5/network-security/asa-cluster-interface-health-check/m-p/2503361#M235727 <P>Starting with <A href="http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html">code 9.4</A>, you can specifically disable monitoring for certain interfaces such as management.</P> <P></P> <P>This is also configured in the cluster configuration.</P> <P></P> <P><SPAN style="font-family: courier new,courier,monospace;">cluster group MyClusterGroup</SPAN><BR /><SPAN style="font-family: courier new,courier,monospace;">&nbsp;no health-check monitor-interface Management0/0</SPAN><BR /><SPAN style="font-family: courier new,courier,monospace;">&nbsp;no health-check monitor-interface Management0/1</SPAN></P> <P><SPAN style="font-family: courier new,courier,monospace;">!</SPAN></P> Fri, 05 Feb 2016 01:56:01 GMT johnnylingo 2016-02-05T01:56:01Z https://community.cisco.com/t5/network-security/asa-cluster-interface-health-check/m-p/2503359#M235720 <P>Hi,</P><P>&nbsp;</P><P>when deploying four ASA&nbsp;firewalls in cluster mode, the health check monitoring cannot be customized like for Active/Passive setup?</P><P>&nbsp;</P><P>For example, we&nbsp;don't want a FW member to leave the cluster&nbsp;if the management interface goes down.</P><P>&nbsp;</P><P>Another example would be that all the interfaces in the FWs are port-channels, so we&nbsp;don't want to have a unit removed from the cluster because 1 physical interface has gone down, and all the port channel still&nbsp;up.</P><P>&nbsp;</P><P>which are the commands to tune the interface health check when using four FWs in cluster mode?</P><P>Because we&nbsp;assigned port channels as the cluster interface, will a FW member not be removed until the Port Channel goes down or anytime a phyical interface goes down the cluster member will be removed?</P><P>&nbsp;</P><P>Thank you very much.</P><P>&nbsp;</P><P>Regards,</P><P>&nbsp;</P><P>J</P> Tue, 12 Mar 2019 04:36:26 GMT https://community.cisco.com/t5/network-security/asa-cluster-interface-health-check/m-p/2503359#M235720 Jordi Benet 2019-03-12T04:36:26Z https://community.cisco.com/t5/network-security/asa-cluster-interface-health-check/m-p/2503360#M235726 <P>Hi,</P><P>&nbsp;</P><P>By default in clustering healthchecking is enabled....</P><P>Below mentioned excerpt from cisco document will be helpful.</P><H2 class="pCRC_CmdRefCommand">health-check</H2><P class="pB1_Body1"><A name="pgfId-1821139"></A>To enab;e the cluster health check feature, use the <B class="cBold"> health-check </B> command in cluster group configuration mode. To the health check, use the <B class="cBold"> no</B> form of this command.</P><P class="pCENB_CmdEnv_NoBold"><A name="pgfId-1821140"></A><B class="cBold"> health-check </B> [<B class="cBold"> holdtime</B> <EM class="cEmphasis"> timeout</EM> ] [<B class="cBold"> vss-enabled</B> ]</P><P class="pCENB_CmdEnv_NoBold"><A name="pgfId-1821141"></A><B class="cCN_CmdName"> no </B> <B class="cBold"> health-check </B> [<B class="cBold"> holdtime</B> <EM class="cEmphasis"> timeout</EM> ] [<B class="cBold"> vss-enabled</B> ]</P><DIV><H3 class="pCRSD_CmdRefSynDesc"><A name="pgfId-1821147"></A></H3><DIV>&nbsp;</DIV>Syntax Description<DIV align="left"><TABLE border="1" cellpadding="3" cellspacing="0" width="80%"><TBODY><TR align="left" valign="top"><TD><P class="pB1_Body1"><A name="pgfId-1821144"></A><B class="cBold"> holdtime</B> <EM class="cEmphasis"> timeout</EM></P></TD><TD><P class="pB1_Body1"><A name="pgfId-1821146"></A>(Optional) Determines the amount of time between keepalive or interface status messages, between .8 and 45 seconds. The default is 3 seconds.</P></TD></TR><TR align="left" valign="top"><TD><P class="pB1_Body1"><A name="pgfId-1841768"></A><B class="cBold"> vss-enabled</B></P></TD><TD><P class="pB1_Body1"><A name="pgfId-1841780"></A>If you configure the cluster control link as an EtherChannel (recommended), and it is connected to a VSS or vPC pair, then you might need to enable the <B class="cBold"> vss-enabled</B> option. For some switches, when one unit in the VSS/vPC is shutting down or booting up, EtherChannel member interfaces connected to that switch may appear to be Up to the ASA, but they are not passing traffic on the switch side. The ASA can be erroneously removed from the cluster if you set the ASA holdtime timeout to a low value (such as .8 seconds), and the ASA sends keepalive messages on one of these EtherChannel interfaces. When you enable <B class="cBold"> vss-enabled</B> , the ASA floods the keepalive messages on all EtherChannel interfaces in the cluster control link to ensure that at least one of the switches can receive them.</P></TD></TR></TBODY></TABLE></DIV></DIV><DIV><H3 class="pCRCD_CmdRefCmdDefault"><A name="pgfId-1821148"></A></H3><DIV>&nbsp;</DIV>Command Default<P class="pB1_Body1"><A name="pgfId-1821149"></A>Health check is enabled by default, with a holdtime of 3 seconds.</P><P class="pB1_Body1">&nbsp;</P><P class="pB1_Body1">Regards</P><P class="pB1_Body1">Karthik</P></DIV> Wed, 13 Aug 2014 12:47:18 GMT https://community.cisco.com/t5/network-security/asa-cluster-interface-health-check/m-p/2503360#M235726 nkarthikeyan 2014-08-13T12:47:18Z https://community.cisco.com/t5/network-security/asa-cluster-interface-health-check/m-p/2503361#M235727 <P>Starting with <A href="http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html">code 9.4</A>, you can specifically disable monitoring for certain interfaces such as management.</P> <P></P> <P>This is also configured in the cluster configuration.</P> <P></P> <P><SPAN style="font-family: courier new,courier,monospace;">cluster group MyClusterGroup</SPAN><BR /><SPAN style="font-family: courier new,courier,monospace;">&nbsp;no health-check monitor-interface Management0/0</SPAN><BR /><SPAN style="font-family: courier new,courier,monospace;">&nbsp;no health-check monitor-interface Management0/1</SPAN></P> <P><SPAN style="font-family: courier new,courier,monospace;">!</SPAN></P> Fri, 05 Feb 2016 01:56:01 GMT https://community.cisco.com/t5/network-security/asa-cluster-interface-health-check/m-p/2503361#M235727 johnnylingo 2016-02-05T01:56:01Z