ASA Spanned Cluster

This guide shows how to establish redundancy by connecting two Cisco ASA appliances. The firewalls are configured in spanned cluster mode. Two ASA 5515 have been used for this guide.

Comments
Introduction
Topology
Configuration
Show Commands
Enterprise LAB

Introduction

ASA appliances can be set up in a spanned cluster configuration, boosting availability and failover capabilities. The spanned cluster mode enables multiple ASA devices to function as a unified entity, ensuring uninterrupted network security services in an active/active mode. The main objective of this mode is to maintain continuous network service even if there are hardware failures, software crashes, or maintenance activities. In spanned cluster mode, the firewalls need port channel links to switches on the internal and external side of the network.

Description
Cluster Control Link: The primary purpose of the cluster control link is to allow the ASA units within the cluster to exchange control messages, synchronize configuration data, and monitor each other's status.
Active/Active: In cluster mode, multiple ASAs actively process traffic simultaneously. This enables redundancy, load sharing and better utilization of resources.
Health Monitoring: The ASA cluster monitors the health and availability of the active and standby units. Health checks include interface monitoring, link monitoring, and peer status monitoring.

Topology

The ASA firewalls use ethernet port channels to establish aggregated links from each appliance to the switches on the inside and the outside network. The following steps are necessary to prepare the ASA cluster mode:

Description
1. Turn on the firewalls and open serial connections to the command line interfaces
2. Configure the cluster interfaces on each device - make sure to use the same interface on both devices
3. Do not interconnect the cluster interfaces directly - the cluster control link need to be connected to a switch
4. Verify if the cluster mode is running correctly - use the commands "show cluster conn", and "show cluster history"
5. Configure the ASA cluster as if it was a single device - every configuration change will be conducted on both devices automatically
6. Connect the firewalls to switches that also have been configured with port channels to forward traffic

Premium Access

Log in or register - Premium members can access all content without restrictions.

Get Premium

0 Comments

Submit a Comment