topic Re: ASA Cluster: HA Config in Network Security

ASA Cluster: HA Config

floki — Fri, 21 Feb 2020 16:53:13 GMT

Good Day,

So here's our configuration for the Cluster:

cluster group ASA-Cluster
local-unit ASA-2
cluster-interface GigabitEthernet1/8 ip 172.200.200.120 255.255.255.0
priority 50
console-replicate
health-check holdtime 3
health-check data-interface auto-rejoin 3 5 2
health-check cluster-interface auto-rejoin unlimited 5 1
no health-check monitor-interface Management1/1
no health-check monitor-interface Port-channel2
no health-check monitor-interface Port-channel3
no health-check monitor-interface Port-channel4
clacp system-mac auto system-priority 1
enable

That's also the config of the other ASA of course just the local-unit ID is changed. Anyway, when we tested to Power off one of the ASA in the cluster, the cluster control link also goes down, which will make the portchannels to go down. When the port-channels go down, the traffic from the inside interfaces (port-channel members) can't pass the traffic.

Is there a way that will make the port-channels stays UP and running even if the CCL is down? We don't use switch, just a cable between the cluster.

Thanks

Re: ASA Cluster: HA Config

floki — Sat, 02 Mar 2019 13:49:23 GMT

Can I also configure a CCL to a switch and make another cluster link interface configuration on the Cluster Group? If so, will the data portchannels stays UP even though 1 CCL is down?

Re: ASA Cluster: HA Config

balaji.bandi — Sat, 02 Mar 2019 21:04:26 GMT

We do not have your network topology and full configuration and how your switch side configured. so it hard to tell what is wrong.

suggest to post the enough information to understand better your problem, why this links are going down.

this is reference guide for HA cluster :

https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/ha-cluster.pdf

Re: ASA Cluster: HA Config

floki — Sun, 03 Mar 2019 07:23:33 GMT

Hi, Thanks for your reply. Here's our config & Topology for the ASA:

There's only one CCL in between of the firewall that is configured in Interface Gigabit 1/8

All other interfaces are data interface.

Is there a work around like having another port channel for CCL interfaces and then assigning two interface of each cisco asa as cluster link. One interface of each will be connected just like in the topology and the other interface of each will be connected to the switch? So that when the ASA is turned off or the switch is turned off, there will still be a High Availability?

Thanks a lot

ip local pool Management-Pool 192.168.5.2-192.168.5.3
!
interface GigabitEthernet1/1
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
channel-group 2 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
channel-group 3 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
channel-group 4 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
description Clustering Interface
!
interface Management1/1
management-only
nameif management
security-level 0
ip address 192.168.5.1 255.255.255.0 cluster-pool Management-Pool 
!
interface Port-channel1
lacp max-bundle 8
port-channel span-cluster
mac-address aaaa.bbbb.cccc standby cccc.bbbb.aaaa
nameif outside
security-level 0
ip address 172.16.16.181 255.255.255.0 
!
interface Port-channel2
lacp max-bundle 8
port-channel span-cluster
mac-address aaaa.dddd.cccc standby cccc.dddd.aaaa
nameif inside1
security-level 100
ip address 192.168.1.1 255.255.255.0 
!
interface Port-channel3
lacp max-bundle 8
port-channel span-cluster
mac-address aaaa.eeee.cccc standby cccc.eeee.aaaa
nameif inside2
security-level 100
ip address 192.168.2.1 255.255.255.0 
!
interface Port-channel4
lacp max-bundle 8
port-channel span-cluster
mac-address aaaa.ffff.cccc standby cccc.ffff.aaaa
nameif inside3
security-level 100
ip address 192.168.3.1 255.255.255.0 
!
ftp mode passive
object network INSIDE1_CLIENT
host 192.168.1.2
description INSIDE1_HOST
object network VMWARE-ESXI-SERVER_CLIENT
host 172.16.16.23
description ESXI SERVER
object network NAT_OUTSIDE_1
host 172.16.16.183
description inside1 host mapped IP
object network NAT_OUTSIDE_2
host 172.16.16.184
description Inside2 host mapped IP
object network INSIDE2_CLIENT
host 192.168.2.2
description INSIDE2_HOST
object network INSIDE3_CLIENT
host 192.168.3.2
description INSIDE3_HOST
object network NAT_OUTSIDE_3
host 172.16.16.185
description Inside3 host mapped IP
cluster group ASA-Cluster
local-unit ASA-2
cluster-interface GigabitEthernet1/8 ip 172.200.200.120 255.255.255.0
priority 50
console-replicate
health-check holdtime 3
health-check data-interface auto-rejoin 3 5 2
health-check cluster-interface auto-rejoin unlimited 5 1
no health-check monitor-interface Management1/1
no health-check monitor-interface Port-channel2
no health-check monitor-interface Port-channel3
no health-check monitor-interface Port-channel4
clacp system-mac auto system-priority 1
enable
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside1 1500
mtu inside2 1500
mtu inside3 1500
mtu cluster 1500
no failover
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.5.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map 
inspect ftp 
inspect rsh 
inspect esmtp 
inspect sqlnet 
inspect sunrpc 
inspect xdmcp 
inspect sip 
inspect netbios 
inspect tftp 
inspect ip-options 
!

Re: ASA Cluster: HA Config

Ilkin — Tue, 05 Mar 2019 12:19:22 GMT

Is there a way that will make the port-channels stays UP and running even if the CCL is down? We don't use switch, just a cable between the cluster.

Thanks

No, by design on a cluster unit if CCL goes down, then clustering is disabled all data interfaces are shut down.

Re: ASA Cluster: HA Config

floki — Wed, 06 Mar 2019 00:02:35 GMT

What about having two CCL? One CCL connected between ASA firewalls and the second connects from the Firewalls to a Switch. When one Firewall goes down, will the port-channels still be up and running? Since the CCL connected from firewall to switch is still UP?

Re: ASA Cluster: HA Config

Ilkin — Wed, 06 Mar 2019 17:25:36 GMT

Currently only one CCL per cluster group is supported.