Can not build an ASA Cluster with 5510 series

v.petzholtz · ‎05-08-2007

I already build 3 ASA clusters and have one more to do.

The problem is that the last two ASAs can't build up there cluster relationship.

Software:

ASA = asa722-19-k8.bin

ASDM = asdm-522.bin

I found out that the two ASAs have different show version outputs.

=============================================

First ASA:

Device Manager Version 5.2(2)

Compiled on Fri 06-Apr-07 17:27 by builders

System image file is "disk0:/asa722-19-k8.bin"

Config file at boot was "startup-config"

ASA-CLU up 46 mins 45 secs

failover cluster up 46 mins 45 secs

Hardware: ASA5510-K8, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash AT49LW080 @ 0xffe00000, 1024KB

0: Ext: Ethernet0/0 : address is 0019.2f8f.2a0a, irq 9

1: Ext: Ethernet0/1 : address is 0019.2f8f.2a0b, irq 9

2: Ext: Ethernet0/2 : address is 0019.2f8f.2a0c, irq 9

3: Ext: Ethernet0/3 : address is 0019.2f8f.2a0d, irq 9

4: Ext: Management0/0 : address is 0019.2f8f.2a09, irq 11

5: Int: Not used : irq 11

6: Int: Not used : irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 100

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : 250

WebVPN Peers : 2

This platform has an ASA 5510 Security Plus license.

Serial Number: hidden

Running Activation Key: hidden

Configuration register is 0x1

=============================================

Second ASA:

Device Manager Version 5.2(2)

Compiled on Fri 06-Apr-07 17:27 by builders

System image file is "disk0:/asa722-19-k8.bin"

Config file at boot was "startup-config"

ciscoasa up 4 mins 46 secs

failover cluster up 4 mins 46 secs

Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash AT49LW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : [1]CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode:

CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: Ethernet0/0 : address is 0018.199e.bf78, irq 9

1: Ext: Ethernet0/1 : address is 0018.199e.bf79, irq 9

2: Ext: Ethernet0/2 : address is 0018.199e.bf7a, irq 9

3: Ext: Ethernet0/3 : address is 0018.199e.bf7b, irq 9

4: Ext: Management0/0 : address is 0018.199e.bf77, irq 11

5: Int: Not used : irq 11

6: Int: Not used : irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 100

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : 250

WebVPN Peers : 2

This platform has an ASA 5510 Security Plus license.

Serial Number: hidden

Running Activation Key: hidden

Configuration register is 0x1

=============================================

The "Encryption hardware device" section is missing in the first ASA.

I think these difference causes the failures.

Anybody know more or an work around?

joshua.walton · ‎05-12-2007

Restrictions:

VPN virtual cluster IP address, User Datagram Protocol (UDP) port, and shared secret must be identical on every device in the virtual cluster.

All devices in the virtual cluster must be on the same outside and inside IP subnets.

Ref: Remote VPN Client Load Balancing on ASA 5500 Configuration Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805fda25.shtml

Please rate if you are satisfied.

Cheers!

v.petzholtz · ‎05-13-2007

Sorry, i dont't mention that this is about an Active/Standby cluster not an VPN cluster.

Thanks anyway

cheers

tim.weid · ‎05-15-2007

Agree with Joshua. I have a 5510 "cluster" I prefer to call it redundant pair and I run both WEBVPN SSL clients and L2L vpns off as well as firewalling. No issues so long as your IOS matches as well as the number of interfaces. Be sure to set your holdtime interval down to 5 to ensure sessions remain active in case of failover.