1-10
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring a Cluster of ASAs
Information About ASA Clustering
If the owner becomes unavailable, the first unit to receive packets from the connection (based on load
balancing) contacts the backup owner for the relevant state information so it can become the new owner.
Some traffic requires state information above the TCP or UDP layer. See Table 1-1 for clustering support
or lack of support for this kind of traffic.
Configuration Replication
All units in the cluster share a single configuration. Except for the initial bootstrap configuration, you
can only make configuration changes on the master unit, and changes are automatically replicated to all
other units in the cluster.
ASA Cluster Management
• Management Network, page 1-10
• Management Interface, page 1-10
• Master Unit Management Vs. Slave Unit Management, page 1-11
• RSA Key Replication, page 1-11
• ASDM Connection Certificate IP Address Mismatch, page 1-11
Management Network
We recommend connecting all units to a single management network. This network is separate from the
cluster control link.
Management Interface
For the management interface, we recommend using one of the dedicated management interfaces. You
can configure the management interfaces as Individual interfaces (for both routed and transparent
modes) or as a Spanned EtherChannel interface.
Table 1-1 ASA Features Replicated Across the Cluster
Traffic State Support Notes
Up time Yes Keeps track of the system up time.
ARP Table Yes Transparent mode only.
MAC address table Yes Transparent mode only.
User Identity Yes Includes AAA rules (uauth) and identify firewall.
IPv6 Neighbor database Yes
Dynamic routing Yes
Multi-site licensing No
SNMP Engine ID No
VPN (Site-to-Site) No VPN sessions will be disconnected if the master
unit fails.
To Next Page
Loading...
Need help?
General
