Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1432
Views
15
Helpful
5
Replies

ASA cluster 5525

Go to solution
brat33333
Level 1
Level 1

‎09-14-2017 12:06 AM - edited ‎02-21-2020 06:18 AM

Good afternoon.
In order to increase fault tolerance, it is necessary to combine 2 * ASA-5525 into the cluster.
On the one hand stack of switches 3850 (office), on the other Microtik (Internet).

I plan:
CCL - through the switch a separate etherchannel, for example gig0 / 3-4 on ASA1 and gig03-4 on ASA2.
DATA is to combine ports using ether-channel spanned, for example gig1 / 0/1, gig2 / 0/1, gig2 / 0/1, gig2 / 0/2 on the switch stack and ge0 / 0-1 on ASA (1- 2)
Exit to the Internet - to make ether-channel in the direction of Micro on which to combine 2 ports in Bonding. The question is, is it possible to add only one port to ASA1 (gig0 / 1) and one port to ASA2 (gig0 / 1) to ether channel if they are in the cluster, will it work?

Another question. Because Change must be made on the working configuration. Is it possible to avoid clearing ip addresses and sub-interfaces names when adding to port-channel spanned?

Thank you in advance for your comments.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-14-2017 08:23 AM - edited ‎09-14-2017 08:39 AM

Is there a reason you are choosing clustering vs. Active-Standby failover? You're building a lot of complexity and incurring technical debt for marginal gains by going the clustering route.

 

Also the 3850 is not supported in spanned Etherchannel mode due to asymmetric load balancing. Your outside Microtik switches are not supported at all with ASA clustering.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#pgfId-137822

View solution in original post

5 Replies 5

Go to solution
jumora1
Level 1
Level 1

‎09-14-2017 05:29 AM

Think of this as if you have no failover and you have a single device, a portchannel in basic setups will have at least 2 interface but if one went down it will still forward traffic but there is no sense in configuring a portchannel just for one interface.

 

You configure go/1 and g0/2 for a portchannel on the switch and they have to come from the ASA to a switch, now you can configure cross stacking on newer versions but I think that you are confused on the function.

 

Let me know if I'm getting this right??

 

You want to configure a portchannel on a switch and connect ASA1 and ASA2 to the same portchannel????

Security Engineer
juanmh8419@gmail.com
Skype: juanmh8419@hotmail.com

Go to solution
brat33333
Level 1
Level 1
In response to jumora1

‎09-14-2017 06:16 AM

Thanks for the answer.

The official guide says:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/ha-cluster.html

"For a 2-member cluster, do not directly connect the cluster control link from one ASA to the other ASA. fails. "If you connect the cluster control link through a switch, then the cluster control link remains up for the healthy unit"

I'm really a little confused.
As for CCL:
If I can not connect 2 ASA cables to each other, because the failure of one ASA pulls a second one.
The thing is that I plan to connect the ASA to the stack (!) Of switches, each to each. One of the switches can also fail, but the link to the ASA is not lost. Those. ASA1-SW1-SW2, ASA2-SW1-SW2 - for this I want on the switch and combine the ASA in port-channel.

Concerning DATA:
At the moment, the link with the ACA is on Microtick on one port with an ip address. In the future, when the cluster is meeting. It is necessary that already two ports, with each ACA one at a time, come to Microtics (Internet). For this, I want to merge the ports on Microtics into Bonding, the analog of port-channel in cisco. Accordingly, the question is, how will they make friends with the ASA?

Thank you. If I misunderstood something or wrote something, it might be in Google translator)

0 Helpful

Go to solution
jumora1
Level 1
Level 1
In response to brat33333

‎09-14-2017 06:41 AM

ok, yes you will need to configure the portchannel and remove the nameif, you can edit the configuration and upload to the device and boot config from it, on that version the ASA is suppose to support cross stacking but from my understanding there will be a switch between the ISP and your ASA, let me know if I'm wrong....

Security Engineer
juanmh8419@gmail.com
Skype: juanmh8419@hotmail.com
0 Helpful

Go to solution
brat33333
Level 1
Level 1
In response to jumora1

‎09-14-2017 06:56 AM

Thanks for the support. I will return to this topic after I try to do it.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-14-2017 08:23 AM - edited ‎09-14-2017 08:39 AM

Is there a reason you are choosing clustering vs. Active-Standby failover? You're building a lot of complexity and incurring technical debt for marginal gains by going the clustering route.

 

Also the 3850 is not supported in spanned Etherchannel mode due to asymmetric load balancing. Your outside Microtik switches are not supported at all with ASA clustering.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#pgfId-137822

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card