when deploying four ASA firewalls in cluster mode, the health check monitoring cannot be customized like for Active/Passive setup?
For example, we don't want a FW member to leave the cluster if the management interface goes down.
Another example would be that all the interfaces in the FWs are port-channels, so we don't want to have a unit removed from the cluster because 1 physical interface has gone down, and all the port channel still up.
which are the commands to tune the interface health check when using four FWs in cluster mode?
Because we assigned port channels as the cluster interface, will a FW member not be removed until the Port Channel goes down or anytime a phyical interface goes down the cluster member will be removed?
Thank you very much.
By default in clustering healthchecking is enabled....
Below mentioned excerpt from cisco document will be helpful.
If you configure the cluster control link as an EtherChannel (recommended), and it is connected to a VSS or vPC pair, then you might need to enable the vss-enabled option. For some switches, when one unit in the VSS/vPC is shutting down or booting up, EtherChannel member interfaces connected to that switch may appear to be Up to the ASA, but they are not passing traffic on the switch side. The ASA can be erroneously removed from the cluster if you set the ASA holdtime timeout to a low value (such as .8 seconds), and the ASA sends keepalive messages on one of these EtherChannel interfaces. When you enable vss-enabled , the ASA floods the keepalive messages on all EtherChannel interfaces in the cluster control link to ensure that at least one of the switches can receive them.
Starting with code 9.4, you can specifically disable monitoring for certain interfaces such as management.
This is also configured in the cluster configuration.
cluster group MyClusterGroup
no health-check monitor-interface Management0/0
no health-check monitor-interface Management0/1