05-08-2007 05:21 AM - edited 03-11-2019 03:10 AM
I already build 3 ASA clusters and have one more to do.
The problem is that the last two ASAs can't build up there cluster relationship.
Software:
ASA = asa722-19-k8.bin
ASDM = asdm-522.bin
I found out that the two ASAs have different show version outputs.
=============================================
First ASA:
Device Manager Version 5.2(2)
Compiled on Fri 06-Apr-07 17:27 by builders
System image file is "disk0:/asa722-19-k8.bin"
Config file at boot was "startup-config"
ASA-CLU up 46 mins 45 secs
failover cluster up 46 mins 45 secs
Hardware: ASA5510-K8, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash AT49LW080 @ 0xffe00000, 1024KB
0: Ext: Ethernet0/0 : address is 0019.2f8f.2a0a, irq 9
1: Ext: Ethernet0/1 : address is 0019.2f8f.2a0b, irq 9
2: Ext: Ethernet0/2 : address is 0019.2f8f.2a0c, irq 9
3: Ext: Ethernet0/3 : address is 0019.2f8f.2a0d, irq 9
4: Ext: Management0/0 : address is 0019.2f8f.2a09, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 250
WebVPN Peers : 2
This platform has an ASA 5510 Security Plus license.
Serial Number: hidden
Running Activation Key: hidden
Configuration register is 0x1
=============================================
Second ASA:
Device Manager Version 5.2(2)
Compiled on Fri 06-Apr-07 17:27 by builders
System image file is "disk0:/asa722-19-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 4 mins 46 secs
failover cluster up 4 mins 46 secs
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash AT49LW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : [1]CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode:
CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0 : address is 0018.199e.bf78, irq 9
1: Ext: Ethernet0/1 : address is 0018.199e.bf79, irq 9
2: Ext: Ethernet0/2 : address is 0018.199e.bf7a, irq 9
3: Ext: Ethernet0/3 : address is 0018.199e.bf7b, irq 9
4: Ext: Management0/0 : address is 0018.199e.bf77, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 250
WebVPN Peers : 2
This platform has an ASA 5510 Security Plus license.
Serial Number: hidden
Running Activation Key: hidden
Configuration register is 0x1
=============================================
The "Encryption hardware device" section is missing in the first ASA.
I think these difference causes the failures.
Anybody know more or an work around?
05-12-2007 05:41 PM
Restrictions:
VPN virtual cluster IP address, User Datagram Protocol (UDP) port, and shared secret must be identical on every device in the virtual cluster.
All devices in the virtual cluster must be on the same outside and inside IP subnets.
Ref: Remote VPN Client Load Balancing on ASA 5500 Configuration Example
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805fda25.shtml
Please rate if you are satisfied.
Cheers!
05-13-2007 10:40 PM
Sorry, i dont't mention that this is about an Active/Standby cluster not an VPN cluster.
Thanks anyway
cheers
05-15-2007 05:21 PM
Agree with Joshua. I have a 5510 "cluster" I prefer to call it redundant pair and I run both WEBVPN SSL clients and L2L vpns off as well as firewalling. No issues so long as your IOS matches as well as the number of interfaces. Be sure to set your holdtime interval down to 5 to ensure sessions remain active in case of failover.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide