Problem with high ping latency on cluster of ASAs

keyser.soze1 · ‎02-21-2016

Can anyone knows what could be the reason of high ping latency, when I am pinging the ISP next hop router through cluster of ASAs and my inside interface on a cluster of cisco ASAs?

When I leave one unit in a cluster of ASAs, ping is 1ms, when both units are active this ping is from 5 to 25 ms. And somethimes "request time out".

Topology is: ISP router---cluster of two ASAs 5525-x ---- inside switch----host

Philip D'Ath · ‎02-21-2016

Is this the "traditional" failover cluster configuration (aa opposed to VPN)?

Is this a state full or stateless failover cluster?

When you have them in a cluster, and you fail it over, does it change the ping time?

keyser.soze1 · ‎02-26-2016

It is the tradicional failover cluster configuration. Here is the configuration link:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/ha_cluster.pdf

Statefull and stateless failover links are terminology with failover. This is cluster. Here I have only Cluster Control Link (CCL) between ASA-s, and I port channel them into 2 Gb throughput.

When I turn off one ASA, and second takes all the traffic, ping is normal.

When I boot up second ASA, after 10 minutes ping latency go high.

Does it have something with load balancing on port channels defined between ASA-s and inside switch?

Philip D'Ath · ‎02-28-2016

I've never tried ASA clustering, only failover, so I am not sure.

I would think if the port channel config was wrong you would be packet loss, rather than latency issues.

What software version are you running?