Cisco ASA Series Cli Configuration Manual page 319
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 1
Configuring a Cluster of ASAs
Command
mac-address pool name start_mac_address -
end_mac_address
prompt cluster-unit
logging device-id
show port-channel
Example 1-4
To troubleshoot the connection flow, first see connections on all units by entering the cluster exec show
conn command on any unit. Look for flows that have the following flags: director (Y), backup (y), and
forwarder (z). The following example shows an SSH connection from 172.18.124.187:22 to
192.168.103.131:44727 on all three ASAs; ASA 1 has the z flag showing it is a forwarder for the
connection, ASA3 has the Y flag showing it is the director for the connection, and ASA2 has no special
flags showing it is the owner. In the outbound direction, the packets for this connection enter the inside
interface on ASA2 and exit the outside interface. In the inbound direction, the packets for this connection
enter the outside interface on ASA 1 and ASA3, are forwarded over the cluster control link to ASA2,
and then exit the inside interface on ASA2.
hostname/ASA1/master# cluster exec show conn
ASA1(LOCAL):**********************************************************
18 in use, 22 most used
Cluster stub connections: 0 in use, 5 most used
TCP outside
37240828, flags z
ASA2:*****************************************************************
12 in use, 13 most used
Cluster stub connections: 0 in use, 46 most used
TCP outside
37240828, flags UIO
ASA3:*****************************************************************
10 in use, 12 most used
Cluster stub connections: 2 in use, 29 most used
TCP outside 172.18.124.187:22 inside 192.168.103.131:44727, idle 0:00:03, bytes 0, flags
Y
The following is sample output for the show conn detail command:
hostname/ASA2/slave# show conn detail
12 in use, 13 most used
Cluster stub connections: 0 in use, 46 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
Purpose
Creates a MAC address pool for an individual inteface.
Sets the CLI prompt to include the cluster unit name.
Each unit in the cluster generates syslog messages independently. You can
use the logging device-id command to generate syslog messages with
identical or different device IDs to make messages appear to come from
the same or different units in the cluster.
See the
"Including the Device ID in Non-EMBLEM Format Syslog
Messages" section on page
Includes information about whether a port-channel is spanned.
show conn
172.18.124.187:22 inside
172.18.124.187:22 inside
B - initial SYN from outside, b - TCP state-bypass or nailed,
C - CTIQBE media, c - cluster centralized,
1-17.
192.168.103.131:44727, idle 0:00:00, bytes
192.168.103.131:44727, idle 0:00:00, bytes
Cisco ASA Series CLI Configuration Guide
Monitoring the ASA Cluster
1-55
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
