Cisco ASA Series Cli Configuration Manual page 273

Chapter 1 Configuring a Cluster of ASAs
High Availability within the ASA Cluster
•
•
•
•
Unit Health Monitoring
The master unit monitors every slave unit by sending keepalive messages over the cluster control link
periodically (the period is configurable). Each slave unit monitors the master unit using the same
mechanism.
Interface monitoring
Each unit monitors the link status of all hardware interfaces in use, and reports status changes to the
master unit.
•
•
Unit or Interface Failure
When health monitoring is enabled, a unit is removed from the cluster if it fails or if its interfaces fail.
If an interface fails on a particular unit, but the same interface is active on other units, then the unit is
removed from the cluster.
When a unit in the cluster fails, the connections hosted by that unit are seamlessly transferred to other
units; state information for traffic flows is shared over the control cluster link.
If the master unit fails, then another member of the cluster with the highest priority (lowest number)
becomes the master.
Note
When an ASA becomes inactive (either manually or through a health check failure), all data interfaces
are shut down; only the management-only interface can send and receive traffic. The management
interface remains up using the IP address the unit received from the cluster IP pool. However if you
reload, and the unit is still inactive in the cluster, the management interface is not accessible (because it
then uses the Main IP address, which is the same as the master unit). You must use the console port for
any further configuration.
Data Path Connection State Replication
Every connection has one owner and at least one backup owner in the cluster. The backup owner does
not take over the connection in the event of a failure; instead, it stores TCP/UDP state information, so
that the connection can be seamlessly transferred to a new owner in case of a failure.
Unit Health Monitoring, page 1-9
Interface monitoring, page 1-9
Unit or Interface Failure, page 1-9
Data Path Connection State Replication, page 1-9
Spanned EtherChannel—Uses cluster Link Aggregation Control Protocol (cLACP). Each unit
monitors the link status and the cLACP protocol messages to determine if the port is still active in
the EtherChannel. The status is reported to the master unit.
Individual interfaces (Routed mode only)—Each unit self-monitors its interfaces and reports
interface status to the master unit.
Information About ASA Clustering
Cisco ASA Series CLI Configuration Guide
1-9