Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4971
Views
0
Helpful
2
Replies

ASA Cluster interface health check

Jordi Benet
Level 1
Level 1

‎08-10-2014 02:20 AM - edited ‎03-11-2019 09:36 PM

Hi,

 

when deploying four ASA firewalls in cluster mode, the health check monitoring cannot be customized like for Active/Passive setup?

 

For example, we don't want a FW member to leave the cluster if the management interface goes down.

 

Another example would be that all the interfaces in the FWs are port-channels, so we don't want to have a unit removed from the cluster because 1 physical interface has gone down, and all the port channel still up.

 

which are the commands to tune the interface health check when using four FWs in cluster mode?

Because we assigned port channels as the cluster interface, will a FW member not be removed until the Port Channel goes down or anytime a phyical interface goes down the cluster member will be removed?

 

Thank you very much.

 

Regards,

 

J

Labels:
0 Helpful
2 Replies 2

nkarthikeyan
Level 7
Level 7

‎08-13-2014 05:47 AM

Hi,

 

By default in clustering healthchecking is enabled....

Below mentioned excerpt from cisco document will be helpful.

health-check

To enab;e the cluster health check feature, use the health-check command in cluster group configuration mode. To the health check, use the no form of this command.

health-check [ holdtime timeout ] [ vss-enabled ]

no health-check [ holdtime timeout ] [ vss-enabled ]

 
Syntax Description

holdtime timeout

(Optional) Determines the amount of time between keepalive or interface status messages, between .8 and 45 seconds. The default is 3 seconds.

vss-enabled

If you configure the cluster control link as an EtherChannel (recommended), and it is connected to a VSS or vPC pair, then you might need to enable the vss-enabled option. For some switches, when one unit in the VSS/vPC is shutting down or booting up, EtherChannel member interfaces connected to that switch may appear to be Up to the ASA, but they are not passing traffic on the switch side. The ASA can be erroneously removed from the cluster if you set the ASA holdtime timeout to a low value (such as .8 seconds), and the ASA sends keepalive messages on one of these EtherChannel interfaces. When you enable vss-enabled , the ASA floods the keepalive messages on all EtherChannel interfaces in the cluster control link to ensure that at least one of the switches can receive them.

 
Command Default

Health check is enabled by default, with a holdtime of 3 seconds.

 

Regards

Karthik

0 Helpful

johnnylingo
Level 5
Level 5

‎02-04-2016 05:56 PM

Starting with code 9.4, you can specifically disable monitoring for certain interfaces such as management.

This is also configured in the cluster configuration.

cluster group MyClusterGroup
 no health-check monitor-interface Management0/0
 no health-check monitor-interface Management0/1

!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card