Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
430
Views
0
Helpful
3
Replies

ASA 5525 Cluster Failover Traffic Problem ?

ida71
Level 1
Level 1

‎10-06-2020 12:20 AM

I have a two locations running ASA5525's as cluster in each location. They run a S-2-S VPN between them & replicate some database info using Mirroring.

 

If I switch Master/Slave then the DB Mirror reports as down. Initially this was suspected to be due to a lack of NAT IP's allocated to the Cluster. I resolved this & the NAT error messages stopped, but mirror problem persists. I have added reverse route injection to the VPN & set it to be NAT exempt, but still get these mirror broken messages.

 

Any ideas ?

Labels:
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎10-06-2020 02:38 AM

we need some more information, how your configuration and high level diagram how they conencted.

 

post the complete logs here.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

ida71
Level 1
Level 1

‎10-06-2020 02:46 AM

Wait one, turns out whilst testing this this morning one of the DB servers was doing updates  & mirror was broken, so it may be OK. I'll post an update once the DB team have fixed their issue & we have tested again.

0 Helpful

ida71
Level 1
Level 1

‎10-06-2020 07:44 AM

So after further diagnosis the issue appears to be caused by a differential MTU size between the Master and Slave. When Unit B is Master it provides an MTU of 1436 from DB1 to DB2 for the replication. When Unit A is made master this drops to an MTU of 1358 & traffic fails.

 

Checking both ASA's they have MSS set to 1380, so slightly concerned that the path via one FW is below this & the other is above it.

Any ideas greatly appreciated.

 

Cheers

0 Helpful
Customers Also Viewed These Support Documents