Can not build an ASA Cluster with 5510 series

Unanswered Question
May 8th, 2007
User Badges:

I already build 3 ASA clusters and have one more to do.


The problem is that the last two ASAs can't build up there cluster relationship.


Software:


ASA = asa722-19-k8.bin

ASDM = asdm-522.bin


I found out that the two ASAs have different show version outputs.




=============================================

First ASA:


Device Manager Version 5.2(2)



Compiled on Fri 06-Apr-07 17:27 by builders


System image file is "disk0:/asa722-19-k8.bin"


Config file at boot was "startup-config"



ASA-CLU up 46 mins 45 secs


failover cluster up 46 mins 45 secs



Hardware: ASA5510-K8, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz


Internal ATA Compact Flash, 256MB


BIOS Flash AT49LW080 @ 0xffe00000, 1024KB



0: Ext: Ethernet0/0 : address is 0019.2f8f.2a0a, irq 9


1: Ext: Ethernet0/1 : address is 0019.2f8f.2a0b, irq 9


2: Ext: Ethernet0/2 : address is 0019.2f8f.2a0c, irq 9


3: Ext: Ethernet0/3 : address is 0019.2f8f.2a0d, irq 9


4: Ext: Management0/0 : address is 0019.2f8f.2a09, irq 11


5: Int: Not used : irq 11


6: Int: Not used : irq 5



Licensed features for this platform:


Maximum Physical Interfaces : Unlimited


Maximum VLANs : 100


Inside Hosts : Unlimited


Failover : Active/Active


VPN-DES : Enabled


VPN-3DES-AES : Enabled


Security Contexts : 2


GTP/GPRS : Disabled


VPN Peers : 250


WebVPN Peers : 2



This platform has an ASA 5510 Security Plus license.



Serial Number: hidden


Running Activation Key: hidden


Configuration register is 0x1





=============================================

Second ASA:


Device Manager Version 5.2(2)



Compiled on Fri 06-Apr-07 17:27 by builders


System image file is "disk0:/asa722-19-k8.bin"


Config file at boot was "startup-config"



ciscoasa up 4 mins 46 secs


failover cluster up 4 mins 46 secs



Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz


Internal ATA Compact Flash, 256MB


BIOS Flash AT49LW080 @ 0xffe00000, 1024KB



Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)


Boot microcode : [1]CNlite-MC-Boot-Cisco-1.2


SSL/IKE microcode:



CNlite-MC-IPSEC-Admin-3.03


IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04


0: Ext: Ethernet0/0 : address is 0018.199e.bf78, irq 9


1: Ext: Ethernet0/1 : address is 0018.199e.bf79, irq 9


2: Ext: Ethernet0/2 : address is 0018.199e.bf7a, irq 9


3: Ext: Ethernet0/3 : address is 0018.199e.bf7b, irq 9


4: Ext: Management0/0 : address is 0018.199e.bf77, irq 11


5: Int: Not used : irq 11


6: Int: Not used : irq 5



Licensed features for this platform:


Maximum Physical Interfaces : Unlimited


Maximum VLANs : 100


Inside Hosts : Unlimited


Failover : Active/Active


VPN-DES : Enabled


VPN-3DES-AES : Enabled


Security Contexts : 2


GTP/GPRS : Disabled


VPN Peers : 250


WebVPN Peers : 2



This platform has an ASA 5510 Security Plus license.



Serial Number: hidden


Running Activation Key: hidden


Configuration register is 0x1


=============================================


The "Encryption hardware device" section is missing in the first ASA.


I think these difference causes the failures.


Anybody know more or an work around?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
v.petzholtz Sun, 05/13/2007 - 22:40
User Badges:

Sorry, i dont't mention that this is about an Active/Standby cluster not an VPN cluster.


Thanks anyway


cheers

tim.weid Tue, 05/15/2007 - 17:21
User Badges:

Agree with Joshua. I have a 5510 "cluster" I prefer to call it redundant pair and I run both WEBVPN SSL clients and L2L vpns off as well as firewalling. No issues so long as your IOS matches as well as the number of interfaces. Be sure to set your holdtime interval down to 5 to ensure sessions remain active in case of failover.

Actions

This Discussion