topic Thanks Marvin,Based on the in Network Security

ASA CCL cluster link requirment

fsebera — Tue, 12 Mar 2019 04:13:31 GMT

Hi guys,

We have 2 geographic dispersed sites with 500Mbps throughput Internet access on both. We currently have 1 ASA 5585-x firewall at each site. We would like to enable clustering between the firewalls.

Is the Cluster Control Link (CCL) requirement 10Gbps and 10ms latency or less (20ms round trip)

is this a highly recommended suggestion.

And if this is a recommendation and we only have 500Mbps internet throughput, could we get away with CCL being something less than 10Gbps?

Suggestions please!!

Thank you

Frank

The 10 ms latency is a hard

Marvin Rhoads — Wed, 21 May 2014 13:24:26 GMT

The 10 ms latency is a hard requirement and requires 9.1(4). The bandwidth is not mandatory but it must match the maximum forwarding capacity of each member.

Please refer to Cisco Live! presentation BRKSEC-3032, slide 26.

I would assume you have dome sort of interconnect between your outside switches as well as the cluster members all have outside interfaces addressed from a single pool.

Hi Marvin,Excellent, Our

fsebera — Wed, 21 May 2014 13:33:08 GMT

Hi Marvin,

Excellent, Our current link latency 1-way is 6ms and IOS version can/will be upgraded!

Cisco Live! presentation - would/could you provide a link -PLEASE.

Inside and outside connectivity is good too; simple 3750-x stacks

1 question:

If our internet links are 500Mbps each, x2 = 1Gbps, does this mean the CCL should be at least 1Gbps or better?

Our internal (inside) links are 1 Gbps links but due to the Internet bottle neck are automatically slowed to 500Mbps too.

Thank you

Frank

The presentation is here.

Marvin Rhoads — Wed, 21 May 2014 13:54:44 GMT

The presentation is here. There are also a number of slides on different inter-DC clustering scenarios and differences between 9.1 and 9.2 in that regard.

You may need to setup a (free) Cisco Live 365 userid (separate from cisco.com ID) to be able to access and download the slides.

While I suppose the CCL could technically be 500 Mbps, the practical amount would be 1 Gbps as it needs to be a dedicated link (not shared with any other service).

Thanks Marvin,Based on the

fsebera — Wed, 21 May 2014 13:54:45 GMT

Thanks Marvin,

Based on the Cisco TAC Podcast, I was afraid I would need a 10Gbps CCL link but appears now I am good with a 1 Gbps link (for now) until my throughput requirements increase. Excellent.

Thank you again for the quick responses, appreciate your support!

Frank

You're welcome, thanks for

Marvin Rhoads — Wed, 21 May 2014 14:17:31 GMT

You're welcome, thanks for the rating.

I would not generally contradict anything the guys on the TAC Security Podcast say - that's an excellent resource. I've learned a lot listening to them.

I believe, however, in this case they were assuming that any 5585-X cluster would be using the the bandwidth of one (or more) 10 Gbps interface for their production traffic. In that case, you definitely would not want the CCL to be 1 Gbps.

Hi Marvin,

Jacob Samuel — Wed, 28 Sep 2016 13:05:17 GMT

Hi Marvin,

I have a query related to CCL Link.

Is the CCL links are encrypted by default? if Yes, is it SSL?

Or do we need to enable any command to do the encryption?

thanks

Jacob

Jacob,

Marvin Rhoads — Thu, 29 Sep 2016 05:35:04 GMT

Jacob,

I do not believe ASA Cluster Control Links have any encryption - either by default or as an option.

Update - correct answer provided by Aditya.

Marvin,

Jacob Samuel — Thu, 29 Sep 2016 05:35:05 GMT

Marvin,

Thanks for your update. I am a bit confused, below is a quote from a Cisco LLD document provided to my customer by Cisco Advanced Services.

"New cluster members must use the same SSL encryption setting (the ssl encryption command) as the master unit for initial cluster control link communication before configuration replication."

But I didn't see any config related to encryption in the config provided in NIP Document, that's why I asked is it enabled by default or not.

This quote from Cisco Live Doc attached also mentioned (Page 37 Preparation Check List) something related to encryption, but still not clear.

"All cluster members must have matching 3DES and 10GE I/O licenses"

Appreciate if you could help.

thanks

Jacob

Hi Jacob,

Aditya Ganjoo — Thu, 29 Sep 2016 06:07:25 GMT

Hi Jacob,

Yes CCL uses SSL encryption for communication to the slave members and if the licenses and SSL encryption is not same it would fail to form a cluster.

Check this link for more info:

http://www.cisco.com/en/US/products/ps12726/products_tech_note09186a0080c03900.shtml

Regards,

Aditya

Please rate helpful posts and mark correct answers.

@Aditya Ganjoo ,

Marvin Rhoads — Thu, 29 Sep 2016 15:14:22 GMT

adganjoo ,

I stand corrected. Thanks for the update.

Edited my earlier reply.