when deploying four ASA firewalls in cluster mode, the health check monitoring cannot be customized like for Active/Passive setup?
For example, we don't want a FW member to leave the cluster if the management interface goes down.
Another example would be that all the interfaces in the FWs are port-channels, so we don't want to have a unit removed from the cluster because 1 physical interface has gone down, and all the port channel still up.
which are the commands to tune the interface health check when using four FWs in cluster mode?
Because we assigned port channels as the cluster interface, will a FW member not be removed until the Port Channel goes down or anytime a phyical interface goes down the cluster member will be removed?
By default in clustering healthchecking is enabled....
Below mentioned excerpt from cisco document will be helpful.
To enab;e the cluster health check feature, use the health-check command in cluster group configuration mode. To the health check, use the no form of this command.
health-check [ holdtime timeout ] [ vss-enabled ]
no health-check [ holdtime timeout ] [ vss-enabled ]
(Optional) Determines the amount of time between keepalive or interface status messages, between .8 and 45 seconds. The default is 3 seconds.
If you configure the cluster control link as an EtherChannel (recommended), and it is connected to a VSS or vPC pair, then you might need to enable the vss-enabled option. For some switches, when one unit in the VSS/vPC is shutting down or booting up, EtherChannel member interfaces connected to that switch may appear to be Up to the ASA, but they are not passing traffic on the switch side. The ASA can be erroneously removed from the cluster if you set the ASA holdtime timeout to a low value (such as .8 seconds), and the ASA sends keepalive messages on one of these EtherChannel interfaces. When you enable vss-enabled , the ASA floods the keepalive messages on all EtherChannel interfaces in the cluster control link to ensure that at least one of the switches can receive them.
Health check is enabled by default, with a holdtime of 3 seconds.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...