cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
350
Views
0
Helpful
3
Replies

ASA 5525 Cluster Failover Traffic Problem ?

ida71
Level 1
Level 1

I have a two locations running ASA5525's as cluster in each location. They run a S-2-S VPN between them & replicate some database info using Mirroring.

 

If I switch Master/Slave then the DB Mirror reports as down. Initially this was suspected to be due to a lack of NAT IP's allocated to the Cluster. I resolved this & the NAT error messages stopped, but mirror problem persists. I have added reverse route injection to the VPN & set it to be NAT exempt, but still get these mirror broken messages.

 

Any ideas ?

3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

we need some more information, how your configuration and high level diagram how they conencted.

 

post the complete logs here.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ida71
Level 1
Level 1

Wait one, turns out whilst testing this this morning one of the DB servers was doing updates  & mirror was broken, so it may be OK. I'll post an update once the DB team have fixed their issue & we have tested again.

ida71
Level 1
Level 1

So after further diagnosis the issue appears to be caused by a differential MTU size between the Master and Slave. When Unit B is Master it provides an MTU of 1436 from DB1 to DB2 for the replication. When Unit A is made master this drops to an MTU of 1358 & traffic fails.

 

Checking both ASA's they have MSS set to 1380, so slightly concerned that the path via one FW is below this & the other is above it.

Any ideas greatly appreciated.

 

Cheers

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: