Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
853
Views
5
Helpful
3
Replies

Cisco ASA cluster H323 inspection issue

Go to solution
Ivan Prikhodko
Level 1
Level 1

‎10-05-2015 03:18 AM - edited ‎03-11-2019 11:41 PM

Dears,

 

I hope somebody can advise me the solution, on how to treat H323 connection on newly installed ASA 5525-X cluster without inspection available?

As I understand documentation states, that H323 inspection feature in not available on the clustered devices, and I also have got notification about it from the console:

ASA(config-pmap-c)#inspect h323 h225

ERROR: This command is not allowed when clustering is enabled

ASA(config-pmap-c)# inspect h323 ras

ERROR: This command is not allowed when clustering is enabled

 

Please help,

Thank you in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rvarelac
Level 7
Level 7

‎10-05-2015 09:40 PM

Hi Ivan , 

 

You're right, unfortunately this inspection is not supported while the ASA is configured on cluster mode. If you only have 2 ASAs you can use an Active/Active failover as workaround. 

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ha_cluster.html

 

Hope it helps

-Randy-

View solution in original post

0 Helpful
3 Replies 3

Go to solution
rvarelac
Level 7
Level 7

‎10-05-2015 09:40 PM

Hi Ivan , 

 

You're right, unfortunately this inspection is not supported while the ASA is configured on cluster mode. If you only have 2 ASAs you can use an Active/Active failover as workaround. 

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ha_cluster.html

 

Hope it helps

-Randy-

0 Helpful

Go to solution
Ivan Prikhodko
Level 1
Level 1
In response to rvarelac

‎10-08-2015 08:37 AM

Dear Randy,

 

thank you very much, for reply.

I was trying to apply some workaround to keep cluster up and running, but for some reasons with no luck. Thus, I revert to failover pair, with h323 inspection available.

The question is - why there is a limitation in place? it is that hard to manage h323 session between cluster members?

0 Helpful

Go to solution
MARK BAKER
Level 4
Level 4
In response to Ivan Prikhodko

‎03-23-2016 05:11 PM

Hi Ivan,

You can disable H323 inspection and pre-open the entire range of ports that would have been dynamically opened by H323 inspection as long as you are not doing NAT. If you are doing NAT, you can do the same if your H323 device supports setting the NAT IP within the configuration. This is not a recommendation, but a way that it can be done with clustering.

A few inspections were not supported right out of the gate with ASA clustering, but are slowly being added with newer releases. SIP inspection is one that comes to mind that is now supported with a newer release. I also need H323 inspection and hope that it is supported soon.

Thanks,
Mark

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card