Good question and a possible feature request for Cisco. I see what you are asking for in an automatic failover of the Management Center.
Unfortunately, a cluster cannot be done. The issue, from my understanding, involves the Security Certificate. Typically a server-side certificate is generated for the SSL connection between Agents and the Management Center (MC). The communications between the Agents and MC consists of things like policy updates, agent polling, and alert message communications. The files are signed with the CSA MC certificate to prove their authenticity so that nobody can intercept the communications and alter its content.
Since the agents can function without an active MC it has always been the best practice to back up configurations and policies in the event of a MC failure. Then all that needs to be done is a restore of the configuration and license to this new MC.
Well, there is a difference between what you can do, and what is supported. You CAN create a hot standby, by using ex. Veritas storage management client, and making it control the csamc services on two servers, you will need to use a remote db, and make some dependencies so that the two servers are never active at the same time, registrations to the server are kept in the db, so there is no change to the actual server. Only thing is if you create a new agent kit, it will be on the server that was active, so you will need to define some shared storage between the two servers for the agent kit directory on the server. This is not supported, so you will probably get problems with support if you attempt this and it fails for some reason.
Your suggestion sounds similar to the HA solution for CSM, i.e., use Veritas storage foundation HA/DR. Have you implemented this for CSA MC?
Cisco have added a new white paper Management Center for Cisco Security Agents High Availability White Paper .Its dated the 2nd of Feb 2009, has anyone had the time to test yet? It reads like a single site HA solution but I can't see why it wouldn't scale to an HA/DR implementation across multiple data centres.
Yes, it is very similar to the supported CSM HA solution with veritas storage mng agent. I have tested it with a friend who works for symantec, and used to be a veritas technician, it works very well as i recall. I have not implemented it in production environments yet. I will have to check out that paper, sounds interesting
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...