CSM 4.5 - change in how CSM handles router-id on clustered ASA
we run several ASA active/active cluster in spanned etherchannel mode (so the cluster has a single IP and a single OSPF process running on the master FW). Until CSM 4.4sp2 we've manually set the OSPF router-id since we had some bad experiences when moving a subnet from one virtual FW to another that the ASA would use the IP adress of the deactivated interface as an OSPF router-id thus causing us to have two conflicting OSPF router id's. The workaround to this was to set the router-id manually and that has worked great.
Unfortunately it seems that with CSM 4.5 they've changed this functionality. Now the only options are "Automatic" where the ASA chooses the router-id itself (opening us up to the same problem that we had before setting the router-id manually) and cluster-pool which is meant for an ASA cluster in individual-interface mode.
I cannot use flexconfig to set the OSPF router-id as the CSM will go back and remove it at a later time thus causing a reset of the OSPF process.
This also caused alot of problems when pushing configurations where the OSPF process would be in a limbo state; OSPF was up and routes were in but due to a change in the router-id and CSM not being able to reset the OSPF process properly not all traffic was flowing through the firewall.
Any good ideas on how to resolve this or is a TAC case the only solution (to hopefully get the option to define router-id manully for spanned-etherchannel clusters back into CSM...)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...