Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2162
Views
0
Helpful
5
Replies

Need help with migrating to an ASA cluster

spfister336
Level 2
Level 2

‎10-13-2020 11:58 AM

We have a pair of ASA 5585-Xs in an active/standby configuration. It's been working fine, but lately we seem to be hitting the limits of the hardware (according to a Cisco TAC case...).

 

Eventually, we hope to upgrade to new hardware (FirePower 4100 series), but in the meantime, I'm trying to improve things as much as I can. After research, it looks like setting the ASAes up in a cluster might be our best interim solution.

 

Does anyone have a guide to migrating an Active/Standby setup to a cluster? These are set up in routed mode, and single context mode. Most of the documentation I've seen seems to start from scratch. Also, a lot of it mentions commands I don't seem to have... does clustering need multiple context mode?

 

I tried setting up a lab in GNS3 to gain some practice before trying it. Got it working with a pair of ASAvs mimicking the production network before I found out that ASAv doesn't support clustering.

 

0 Helpful
5 Replies 5

Sheraz.Salim
VIP Alumni
VIP Alumni

‎10-13-2020 03:29 PM

This is a tricky one. you need a alot of planning and also need a change control in place. you can do cluster in multicontex or in single context.

 

Here are the step which i think you need them.

 

1. Both Unit are in active passive mode. i assume you have cluster licence in place. I think bigger appliance comes with 2 cluster enable. you can check this issuing a command show version. I am not sure how the firepower sensor works with SFR and cisco licencing you need to dig in to this.

 

2. Back up all the firewall configuration, including VPN keys/certificates etc. Break the HA active stanby pair. make sure the primary active stay as active and secondary standy stay as standby.  once the HA is break. At This point active unit (which is asa primary active ASA) still serving the production traffic in your  network. coming back to your standby firewall. issue a command clear configuration failover. if you plan to do a spanned port cluster in that case you need to make sure you have enough port avaible on your switch. (I have done clustering in past on SW-3850 it worked fine). this also mean you need to do some configuration work on SW side. also remember the port-channel only support LACP active. you can configure this on both switch and firewall.

 

3. once this comman is issued "configure the cluster interface mode span" asa will ask for reboot the device and wipe all the configuration.  now issue the command,

 

interface gig1/3

 no shut

cluster group XYZ
local-unit ASA2
pri 1
cluster-interface gig1/3 ip 10.100.203.1 255.255.255.0

!

and so on.....

 

 

I have not test this but i just telling from experiance. you need alot of planing and also a back door in case if change goes wrong you can revert back.

 

please do not forget to rate.
0 Helpful

spfister336
Level 2
Level 2
In response to Sheraz.Salim

‎10-14-2020 05:37 AM

Thank you... I guess there's no way to do this without completely wiping the configuration at some point. That's the impression I'm getting. Also, the ASA5585-X comes with a license to do up to 8 nodes, correct?

0 Helpful

spfister336
Level 2
Level 2
In response to spfister336

‎10-14-2020 05:42 AM

Just checked the ASA... under licensing features in 'show ver' it says Disabled for Cluster. Can I enable it, or do I need to buy a license?

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to spfister336

‎10-15-2020 04:09 PM

You definitely need a valid cluster license, otherwise, functionality can't be enabled. Take a look at this: Licenses for ASA Clustering 

 

Regarding a buying a license, this might be a tricky one I would say.

ASA5585 is already EoS, as you can see here. This normally means that all related SKUs are EoS too (at least from my experience), so I'm not sure it is possible to order a license for a product that reached EoS.

On the other end, I do see that configurator permits adding this license without any warning. You can try to reach your partner/reseller and ask them if they can provide this license for you. Depending of the ASA5585 model, SKU will be different:

  • L-ASA5585-CL-S10= for ASA5585-SSP10
  • L-ASA5585-CL-S20= for ASA5585-SSP20, and so on.
0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to Milos_Jovanovic

‎10-15-2020 04:18 PM

Also, I would recommend a bit different approach, in order to minimize downtime.

I would break HA, and prepare cluster configuration on standby device (with disabled interfaces), while active one is still serving the network. This would give me comfort to play around with configuration as much as it is needed (just not too long, remember, you don't have HA anymore).

Once I'm confident with my single-node cluster setup, I would do a swap in a MW, where complete downtime is expected. After I verify that everything is ok, I would proceed with wiping other node, and adding it to the cluster.

This approach would give you more comfortable way of preparing cluster configuration, especially if it is a new thing for you. You could even use this opportunity to optimize config, should it be required or if you planned it before. For a migration itself, it would keep downtime to a minimum required one, as you have 2 setups ready, it's just a matter of swapping. Also, it gives you an easy way of doing a rollback, should it be required.

However, it comes with a risk that you have to break HA for some time, and that you are loosing redundancy until migration is complete.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card