Cisco ASA Series Cli Configuration Manual page 305

Chapter 1 Configuring a Cluster of ASAs
Command
Step 6
(Optional)
key shared_secret
Example:
hostname(cfg-cluster)# key
chuntheunavoidable
Step 7
(Optional)
clacp system-mac {mac_address | auto}
[system-priority number]
Example:
hostname(cfg-cluster)# clacp system-mac
000a.0000.aaaa
Step 8
enable [noconfirm]
Example:
hostname(cfg-cluster)# enable
INFO: Clustering is not compatible with
following commands:
policy-map global_policy
class inspection_default
inspect skinny
policy-map global_policy
class inspection_default
inspect sip
Would you like to remove these commands?
[Y]es/[N]o:Y
INFO: Removing incompatible commands from
running configuration...
Cryptochecksum (changed): f16b7fc2
a742727e e40bc0b0 cd169999
INFO: Done
Purpose
Sets an authentication key for control traffic on the cluster control
link. The shared secret is an ASCII string from 1 to 63 characters.
The shared secret is used to generate the key. This command does
not affect datapath traffic, including connection state update and
forwarded packets, which are always sent in the clear.
When using Spanned EtherChannels, the ASA uses cLACP to
negotiate the EtherChannel with the neighbor switch. ASAs in a
cluster collaborate in cLACP negotiation so that they appear as a
single (virtual) device to the switch. One parameter in cLACP
negotiation is a system ID, which is in the format of a MAC
address. All ASAs in the cluster use the same system ID:
auto-generated by the master unit (the default) and replicated to
all slaves; or manually specified in this command in the form
H.H.H, where H is a 16-bit hexadecimal digit. (For example, the
MAC address 00-0A-00-00-AA-AA is entered as
000A.0000.AAAA.) You might want to manually configure the
MAC address for troubleshooting purposes, for example, so you
can use an easily identified MAC address. Typically, you would
use the auto-generated MAC address.
The system priority, between 1 and 65535, is used to decide which
unit is in charge of making a bundling decision. By default, the
ASA uses priority 1, which is the highest priority. The priority
needs to be higher than the priority on the switch.
This command is not part of the bootstrap configuration, and is
replicated from the master unit to the slave units. However, you
cannot change this value after you enable clustering.
Enables clustering. When you enter the enable command, the
ASA scans the running configuration for incompatible commands
for features that are not supported with clustering, including
commands that may be present in the default configuration. You
are prompted to delete the incompatible commands. If you
respond No, then clustering is not enabled. Use the noconfirm
keyword to bypass the confirmation and delete incompatible
commands automatically.
For the first unit enabled, a master unit election occurs. Because
the first unit should be the only member of the cluster so far, it will
become the master unit. Do not perform any configuration
changes during this period.
To disable clustering, enter the no enable command.
Note
If you disable clustering, all data interfaces are shut down,
and only the management-only interface is active. If you
want to remove the unit from the cluster entirely (and thus
want to have active data interfaces), see the
Cluster" section on page
Cisco ASA Series CLI Configuration Guide
Configuring ASA Clustering
"Leaving the
1-49.
1-41