Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Cluster interface health check

Hi,

 

when deploying four ASA firewalls in cluster mode, the health check monitoring cannot be customized like for Active/Passive setup?

 

For example, we don't want a FW member to leave the cluster if the management interface goes down.

 

Another example would be that all the interfaces in the FWs are port-channels, so we don't want to have a unit removed from the cluster because 1 physical interface has gone down, and all the port channel still up.

 

which are the commands to tune the interface health check when using four FWs in cluster mode?

Because we assigned port channels as the cluster interface, will a FW member not be removed until the Port Channel goes down or anytime a phyical interface goes down the cluster member will be removed?

 

Thank you very much.

 

Regards,

 

J

  • Firewalling
Everyone's tags (1)
2 REPLIES

Hi, By default in clustering

Hi,

 

By default in clustering healthchecking is enabled....

Below mentioned excerpt from cisco document will be helpful.

health-check

To enab;e the cluster health check feature, use the health-check command in cluster group configuration mode. To the health check, use the no form of this command.

health-check [ holdtime timeout ] [ vss-enabled ]

no health-check [ holdtime timeout ] [ vss-enabled ]

 
Syntax Description

holdtime timeout

(Optional) Determines the amount of time between keepalive or interface status messages, between .8 and 45 seconds. The default is 3 seconds.

vss-enabled

If you configure the cluster control link as an EtherChannel (recommended), and it is connected to a VSS or vPC pair, then you might need to enable the vss-enabled option. For some switches, when one unit in the VSS/vPC is shutting down or booting up, EtherChannel member interfaces connected to that switch may appear to be Up to the ASA, but they are not passing traffic on the switch side. The ASA can be erroneously removed from the cluster if you set the ASA holdtime timeout to a low value (such as .8 seconds), and the ASA sends keepalive messages on one of these EtherChannel interfaces. When you enable vss-enabled , the ASA floods the keepalive messages on all EtherChannel interfaces in the cluster control link to ensure that at least one of the switches can receive them.

 
Command Default

Health check is enabled by default, with a holdtime of 3 seconds.

 

Regards

Karthik

Bronze

Starting with code 9.4, you

Starting with code 9.4, you can specifically disable monitoring for certain interfaces such as management.

This is also configured in the cluster configuration.

cluster group MyClusterGroup
 no health-check monitor-interface Management0/0
 no health-check monitor-interface Management0/1

!

1218
Views
0
Helpful
2
Replies
This widget could not be displayed.