Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2460
Views
0
Helpful
3
Replies

ASA clustering across 2 sites

mulhollandm
Level 1
Level 1

‎02-23-2016 02:41 PM - edited ‎03-12-2019 12:23 AM

folks

I'm looking for your views on implementing ASA clustering (spanned etherchannel) across 2 data centres

I have one ISP with a link into each site

my plan is to have a single appliance in each site with a dedicated CCL 10Gb link between the firewalls in order to allow me to have an active/active setup

I've set up ASA ha active/passive loads of times but never clustering so I'm keen to hear of your experiences/views as I'm wondering if the complexity is of any benefit for only 2 appliances 

thanks for anyone taking the time to post their views

 

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Joel
Level 1
Level 1

‎02-25-2016 06:33 AM

Hi,

How is the routing towards the ISP working? Is the ISP bringing in CE routers and creating HSRP groups where your ASA will default route towards? Are you planning to load share the two links? Are your public addresses advertised via both ISP links?

I have had a similar project recently where the company decided on a dual-homed setup. We also had two DCs with an Internet bearer in each with 10Gbps pipes between them. The current perimeter at this place, splits firewall clusters across the DCI and it causes issues. Traffic tromboning, potential split-brain, STP and under-utilizing second bearer.

Our new design is to treat each DC as their own perimeter and avoid trunking VLANs across DCI avoiding STP. Each DC has an A/S setup with firewalls. It does mean more kit but more stable environment.

Joel

0 Helpful

mulhollandm
Level 1
Level 1
In response to Joel

‎03-04-2016 07:56 AM

joel

many thanks for your reply and apologies for the delay in getting back to you

my setup is along the lines you mentioned so i've set the cluster up in a lab and I'm starting to pull cables etc to see how it behaves

I'm not yet convinced of the benefits a 2 node cluster over 2 node active/standby but i'll continue to test

thanks again for your response

0 Helpful

franklinb
Level 1
Level 1

‎03-09-2016 02:02 PM

I'm in the same boat as you except I cannot do spanned etherchannel mode. I assume that you are running vPC across your ISP links? Without that you won't be able to run spanned-etherchannel either. 

This CiscoLive slide describes the current limitations/requirements around multi-site clustering:

http://www.alcatron.net/Cisco%20Live%202015%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3032%20Advanced%20-%20ASA%20Clustering%20Deep%20Dive.pdf

I don't have this option available - we don't run vPC across our DCI (OTV) but it is fast enough and low enough latency so I am considering the only other option - individual interface mode. This is a strange topology compared to what I'm used to (failover pair) but it does seem sound. Unfortunately I can't find any examples of other customers using this.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card