Solved: FIREWALL CLUSTERING

EVANS TONUI · ‎06-23-2017

Can I cluster two firewalls of Different Types like for example a Cisco ASA 5512-x and Cisco Firepower 4110 to achieve Higher Availability ?

I am in a Situation where on site I have a Cisco ASA 5512-x already deployed and they want Higher availability to be achieved in their Network. What would you recommend ?

Julio E. Moisa · ‎06-23-2017

Hi

As I remember you cannot, you need the same model with the same IOS. The active firewall will replicate its configuration to the backup so you need the same hardware and software.

ASA Hardware and Software Requirements

All units in a cluster:

Must be the same model with the same DRAM. You do not have to have the same amount of flash memory.
M ust run the identical software except at the time of an image upgrade. Hitless upgrade is supported between any maintenance releases within a minor release (such as 9.0(1) to 9.0(4)), adjacent minor releases (such as 9.0 to 9.1), and last minor release of previous version to the next major release (such as 8.6 to 9.0, where 8.6 is the last version available for your model previous to 9.0).
Must be in the same geographical location.
Must be in the same security context mode, single or multiple.
(Single context mode) Must be in the same firewall mode, routed or transparent.
New cluster members must use the same SSL encryption setting (the ssl encryption command) as the master unit for initial cluster control link communication before configuration replication.

Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ha_cluster.html#38541

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

Julio E. Moisa · ‎06-23-2017

Hi

As I remember you cannot, you need the same model with the same IOS. The active firewall will replicate its configuration to the backup so you need the same hardware and software.

ASA Hardware and Software Requirements

All units in a cluster:

Must be the same model with the same DRAM. You do not have to have the same amount of flash memory.
M ust run the identical software except at the time of an image upgrade. Hitless upgrade is supported between any maintenance releases within a minor release (such as 9.0(1) to 9.0(4)), adjacent minor releases (such as 9.0 to 9.1), and last minor release of previous version to the next major release (such as 8.6 to 9.0, where 8.6 is the last version available for your model previous to 9.0).
Must be in the same geographical location.
Must be in the same security context mode, single or multiple.
(Single context mode) Must be in the same firewall mode, routed or transparent.
New cluster members must use the same SSL encryption setting (the ssl encryption command) as the master unit for initial cluster control link communication before configuration replication.

Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ha_cluster.html#38541

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

EVANS TONUI · ‎06-23-2017

Thanks :)

Julio E. Moisa · ‎06-23-2017

You are welcome :-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<