Solved: Once you have deployed the

Mark Massheder · ‎11-09-2016

Hi All,

We have a pair of Cisco 4110 Firepower appliances and have them clustered for the ASA Security Module.

There appears to be no options to add an additional Logical Device for the Firepower threat Defense Module, so can only assume this is not supported in an Active/Active state.

In addition on the ASA Module there is no Configuration Tab for Remote Access VPN.

So my question is how do we incorporate the Threat Defense feature into the ASA, I'm assuming that this would be via the offload engine within Advanced Settings, but requires the ASA to be in Active/Standby mode, and the Firepower Threat Defense logical device will be available?

Second question is would it have been better to purchase the Cisco ASA 5585X with the FirePOWER Module to support all the regular features of the ASA as well as offloading inspection traffic to the FirePOWER module?

I have found a fair bit of documentation on the Cisco site but I tend to lose sight of where the reference to FTD and Clustering not being supported or RAS VPN not supported via the ASA or FXOS docs, so was hoping for some insight on here.

Appreciate any clarity around the Firepower 4110 appliances support and configuration of the FTD and ASA combined features that are supported.

We are running ASA v9.6(2) and FXOS 2.0.1(86).

Thanks in advance.

Mark

Marvin Rhoads · ‎11-10-2016

On a FirePOWER 4100 series chassis you can only run a single logical device. Multiple logical devices are only supported on the FirePOWER 9300 which supports up to 3 security modules.

So you have to choose between the ASA and FTD module types (or technically you could also deploy the RADware vDefense Pro but that's mostly for service providers).

One or the other and never both.

The ASA module does support remote access VPN on FirePOWER 4110. I have set one up personally just this month. Have you registered the chassis with smart licensing and applied the ASA licenses (base and 3DES-AES)?

The ASA modules do support both HA and inter-chassis clustering on the 4100 series hardware.

If you run FTD image, there is currently no support for remote access VPN. This is a high priority roadmap item for a future release (post-6.2). FTD does not currently support inter-chassis clustering but that should be in the 6.2 release.

View solution in original post

Oliver Kaiser · ‎11-10-2016

Remote Access VPN is not supported when using ASA Clustering feature (active/active). Is there a reason for using clustering and not active/standby high availability?

View solution in original post

Marvin Rhoads · ‎11-10-2016

On a FirePOWER 4100 series chassis you can only run a single logical device. Multiple logical devices are only supported on the FirePOWER 9300 which supports up to 3 security modules.

So you have to choose between the ASA and FTD module types (or technically you could also deploy the RADware vDefense Pro but that's mostly for service providers).

One or the other and never both.

The ASA module does support remote access VPN on FirePOWER 4110. I have set one up personally just this month. Have you registered the chassis with smart licensing and applied the ASA licenses (base and 3DES-AES)?

The ASA modules do support both HA and inter-chassis clustering on the 4100 series hardware.

If you run FTD image, there is currently no support for remote access VPN. This is a high priority roadmap item for a future release (post-6.2). FTD does not currently support inter-chassis clustering but that should be in the 6.2 release.

Mark Massheder · ‎11-10-2016

Hi Marvin,

Many thanks for the informative response. Smart Licensing is enabled and applied to the ASA.

Extract below:

License mode: Smart Licensing

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited
Maximum VLANs                          : 1024
Inside Hosts                                  : Unlimited
Failover                                         : Active/Active
Encryption-DES                            : Enabled
Encryption-3DES-AES                  : Enabled
Security Contexts                          : 10
Carrier                                           : Disabled
AnyConnect Premium Peers         : 10000
AnyConnect Essentials                 : Disabled
Other VPN Peers                          : 10000
Total VPN Peers                           : 10000
AnyConnect for Mobile                  : Enabled
AnyConnect for Cisco VPN Phone : Enabled
Advanced Endpoint Assessment      : Enabled
Shared License                               : Disabled
Total TLS Proxy Sessions               : 10000
Botnet Traffic Filter                          : Enabled
Cluster                                             : Enabled

Interestingly when using ASDM for the Firepower 4110 there is no Remote Access Configuration Tab compared with an ASA5520 please see attached screenshot.

I did find this though in the ASA CLI config guide 9.6 -

"Unsupported Features with Clustering" - Remote access VPN (SSL VPN and IPsec VPN).

Will keep reading and experimenting for now though.

Thanks again for the response.

Mark

Oliver Kaiser · ‎11-10-2016

Remote Access VPN is not supported when using ASA Clustering feature (active/active). Is there a reason for using clustering and not active/standby high availability?

Mark Massheder · ‎11-10-2016

The clustering (active/active) was to support dual BGP feeds presented to the Firepower 4110 at separate DC's for one project and the Remote Access VPN would have been to migrate a number of EOL ASA's onto the Firepower 4110 as part of another project, but this is looking less likely now.

Many thanks for the responses.

Much appreciated.

Regards

Mark

prashant dwivedi · ‎04-20-2017

Hello Mark,

Can you able to brief on steps to deploy the cluster on 4100 please ? I am in the process of deploying 4100 cluster for FTD . Thanks for your help.

Marvin Rhoads · ‎04-21-2017

Once you have deployed the individual ASA logical devices you simply interconnect and cluster them no differently than you would with physical ASA appliances.

prashant dwivedi · ‎04-17-2017

Hi Marvin, need your inputs on 4100 clustering with FTD , do we need to deploy clustering at FXOS layer or at FTD ( module level ) ? Or this has to be done on both ? Also, a recommended method to migrate from ASA 8.4 to FTD ? I can see Cisco Migration tool for FTD is only supporting ASA Code 9.1 and above. Any major configuration changes from 8.4 to 9.1 hence probably i need to first upgrade my production ASA to 9.1 so that I could use migration tool. your thought pls.

Marvin Rhoads · ‎04-17-2017

Clustering is at the logical device level (i.e. FTD - not FX-OS).

If I were doing it, I'd actually do my best to avoid using the migration tool and instead migrate manually. I've heard very little good about the tool.

If you really want to go that route then yes - simply upgrade your 8.4 ASA to 9.1 first. There are very few syntax changes; but the migration tool is quite particular about seeing exactly what it expects. Any variations, even seemingly inconsequential ones, will cause it to fail.

Cisco Firepower 4110 Clustering with ASA and FTD