Cisco ASA Series Cli Configuration Manual page 280
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Information About ASA Clustering
New Connection Ownership
When a new connection is directed to a member of the cluster via load balancing, that unit owns both
directions of the connection. If any connection packets arrive at a different unit, they are forwarded to
the owner unit over the cluster control link. For best performance, proper external load balancing is
required for both directions of a flow to arrive at the same unit, and for flows to be distributed evenly
between units. If a reverse flow arrives at a different unit, it is redirected back to the original unit. For
more information, see the
Sample Data Flow
The following example shows the establishment of a new connection.
Client
After step 4, all
remaining packets
are forwarded
directly to the owner.
1.
2.
3.
4.
5.
6.
7.
8.
Cisco ASA Series CLI Configuration Guide
1-16
"Load Balancing Methods" section on page
1. SYN
SYN/ACK
Inside
The SYN packet originates from the client and is delivered to an ASA (based on the load balancing
method), which becomes the owner. The owner creates a flow, encodes owner information into a
SYN cookie, and forwards the packet to the server.
The SYN-ACK packet originates from the server and is delivered to a different ASA (based on the
load balancing method). This ASA is the forwarder.
Because the forwarder does not own the connection, it decodes owner information from the SYN
cookie, creates a forwarding flow to the owner, and forwards the SYN-ACK to the owner.
The owner sends a state update to the director, and forwards the SYN-ACK to the client.
The director receives the state update from the owner, creates a flow to the owner, and records the
TCP state information as well as the owner. The director acts as the backup owner for the
connection.
Any subsequent packets delivered to the forwarder will be forwarded to the owner.
If packets are delivered to any additional units, it will query the director for the owner and establish
a flow.
Any state change for the flow results in a state update from the owner to the director.
Chapter 1
Owner
Director
Forwarder
Cluster
Configuring a Cluster of ASAs
1-12.
1. SYN
Server
Outside
2. SYN/ACK
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
