ASA cluster with VSS

Sun Flower · ‎01-22-2018

I have configured 2 ASA-5555 as a cluster, and 2 C4500-x as VSS in inside zone, and 2 C4500x as VSS in outside zone. When I verify ASA cluster and VSSs in both switches, the output shows Ok. I have attached topology.

When ASA1 is master, I can ping from outside host to inside post. But When ASA1 is failed and ASA2 becomes Master, I can't ping to the inside host. I can only to ASA outside interface, but can't ping to inside host when ASA1 failed and ASA2 becomes Master. (All related Inside, Outside configurations are done including NAT, ACL and ip route etc...)

I configured cluster and VSS configs according to Cisco documents. But it seems like not working well together VSS and Cluster. Please look through config and attached topology, and help me to find misconfiguration.

Here is the ASA cluster related configuration.

interface GigabitEthernet1/0
channel-group 10 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
channel-group 10 mode on
no nameif
no security-level
no ip address

interface GigabitEthernet1/2
description Inside
channel-group 3 mode active vss-id 2
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
description Inside
channel-group 3 mode active vss-id 1
no nameif
no security-level
no ip address

interface GigabitEthernet1/4
description Outside
channel-group 1 mode active vss-id 2
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
description Outside
channel-group 1 mode active vss-id 1
no nameif
no security-level
no ip address

interface Port-channel1
lacp max-bundle 8
port-channel span-cluster vss-load-balance
nameif Outside
security-level 10
ip address 10.1.1.1 255.255.255.0

interface Port-channel3
lacp max-bundle 8
port-channel span-cluster vss-load-balance
nameif Inside
security-level 90
ip address 192.168.1.100 255.255.255.0

cluster group cluster1
key *****
local-unit unit-2
cluster-interface Port-channel10 ip 2.2.2.2 255.255.255.0
priority 2
health-check holdtime 3
clacp system-mac auto system-priority 1
enable

mtu cluster 9000

jumbo-frame reservation

Here is the Inside 4500x Switch configuration.

switch virtual domain 20
switch mode virtual
switch 1 priority 110
switch 2 priority 120
mac-address use-virtual

interface Port-channel3
switchport
switchport access vlan 450
switchport mode access

interface Port-channel103
switchport
switchport mode trunk
switchport nonegotiate
switch virtual link 1
!
interface Port-channel104
switchport
switchport mode trunk
switchport nonegotiate
switch virtual link 2

interface Port-channel11
switchport
!
interface Port-channel12
switchport

interface TenGigabitEthernet1/1/31
channel-group 11 mode on
!
interface TenGigabitEthernet1/1/32
channel-group 12 mode on

interface TenGigabitEthernet1/2/4
switchport trunk allowed vlan 450
switchport mode trunk
!
interface TenGigabitEthernet1/2/5
switchport mode trunk
switchport nonegotiate
no lldp transmit
no lldp receive
channel-group 103 mode on
service-policy output VSL-Queuing-Policy
!
interface TenGigabitEthernet1/2/6
switchport mode trunk
switchport nonegotiate
no lldp transmit
no lldp receive
channel-group 103 mode on
service-policy output VSL-Queuing-Policy
!
interface TenGigabitEthernet1/2/7
switchport access vlan 450
switchport mode access
lacp rate fast
channel-group 3 mode active
spanning-tree portfast edge
!
interface TenGigabitEthernet1/2/8
switchport access vlan 450
switchport mode access
lacp rate fast
channel-group 3 mode active
spanning-tree portfast edge

interface TenGigabitEthernet2/1/31
channel-group 11 mode on
!
interface TenGigabitEthernet2/1/32
channel-group 12 mode on

interface TenGigabitEthernet2/2/4
switchport trunk allowed vlan 450
switchport mode trunk
!
interface TenGigabitEthernet2/2/5
switchport mode trunk
switchport nonegotiate
no lldp transmit
no lldp receive
no cdp enable
channel-group 104 mode on
service-policy output VSL-Queuing-Policy
!
interface TenGigabitEthernet2/2/6
switchport mode trunk
switchport nonegotiate
no lldp transmit
no lldp receive
no cdp enable
channel-group 104 mode on
service-policy output VSL-Queuing-Policy
!
interface TenGigabitEthernet2/2/7
switchport access vlan 450
switchport mode access
lacp rate fast
channel-group 3 mode active
spanning-tree portfast edge
!
interface TenGigabitEthernet2/2/8
switchport access vlan 450
switchport mode access
lacp rate fast
channel-group 3 mode active
spanning-tree portfast edge

interface Vlan450
ip address 192.168.1.101 255.255.255.0

Here is the Outside 4500x Switch configuration.

switch virtual domain 10
switch mode virtual
mac-address use-virtual

interface Port-channel32
ip address 10.1.1.2 255.255.255.0

interface Port-channel101
switchport
switchport mode trunk
switchport nonegotiate
switch virtual link 1
!
interface Port-channel102
switchport
switchport mode trunk
switchport nonegotiate
switch virtual link 2
!

interface TenGigabitEthernet1/2/5
switchport mode trunk
switchport nonegotiate
no lldp transmit
no lldp receive
channel-group 101 mode on
service-policy output VSL-Queuing-Policy
!
interface TenGigabitEthernet1/2/6
switchport mode trunk
switchport nonegotiate
no lldp transmit
no lldp receive
channel-group 101 mode on
service-policy output VSL-Queuing-Policy
!
interface TenGigabitEthernet1/2/7
no switchport
no ip address
channel-group 32 mode active
!
interface TenGigabitEthernet1/2/8
no switchport
no ip address
channel-group 32 mode active

interface TenGigabitEthernet2/2/5
switchport mode trunk
switchport nonegotiate
no lldp transmit
no lldp receive
channel-group 102 mode on
service-policy output VSL-Queuing-Policy
!
interface TenGigabitEthernet2/2/6
switchport mode trunk
switchport nonegotiate
no lldp transmit
no lldp receive
channel-group 102 mode on
service-policy output VSL-Queuing-Policy
!
interface TenGigabitEthernet2/2/7
no switchport
no ip address
channel-group 32 mode active
!
interface TenGigabitEthernet2/2/8
no switchport
no ip address
channel-group 32 mode active