![]() ![]() To the cluster please logon to that unit and re-enable clustering WARNING: Clustering will be disabled on unit ASA-2. This also does not remove the cluster configuration: ASA-1(config)# cluster remove unit ASA-2 To recover either enable clustering or remove cluster group configuration.Ĭluster unit ASA-1 transitioned from MASTER to DISABLED This does not remove the cluster config: ASA-1(config)# cluster group TwoNodeClusterĬluster disable is performing cleanup.done.Īll data interfaces have been shutdown due to clustering being disabled. Show the health status of the cluster: ASA-1# show cluster info health List the units in the cluster: ASA-1# show cluster info Below are a few reference commands to use.Ĭheck the interface mode: ASA-1# show cluster interface-mode Now that the cluster is up and running, it’s time to verify it. INFO: security-level, delay, IP address, cts manual and bfd configuration are cleared on GigabitEthernet0/3.ĪSA-1(config-if)# no shut Cluster ConfigurationĪdditional Cluster Parameters ASA-1(config)# cluster group TwoNodeClusterĪSA-1(cfg-cluster)# health-check holdtime 3 vss-enabledĪSA-1(cfg-cluster)# conn-rebalance frequency 5 ![]() INFO: security-level, delay, IP address, cts manual and bfd configuration are cleared on GigabitEthernet0/2.ĪSA-1(config-if)# int gigabitEthernet 0/3 INFO: security-level, delay, IP address, cts manual and bfd configuration are cleared on GigabitEthernet0/1.ĪSA-1(config-if)# int gigabitEthernet 0/2 INFO: security-level, delay, IP address, cts manual and bfd configuration are cleared on GigabitEthernet0/0.ĪSA-1(config-if)# int gigabitEthernet 0/1 This assumes all cluster units have the same interfaces connected to two switches in the VSS or VPC pair and each unit has the same number of interfaces connected to both switches (vss-id 1 and 2).ĬCL Configuration ASA-1(config)# int gigabitEthernet 0/0ĪSA-1(config-if)# channel-group 1 mode active INFO: lacp port-priority on member interfaces of channel-group Port-channel10 will be controlled by CLACP. INFO: security-level, delay and IP address are cleared on GigabitEthernet0/3.ĪSA-1(config-if)# description Data InterfaceĪSA-1(config-if)# port-channel span-cluster vss-load-balance INFO: security-level, delay and IP address are cleared on GigabitEthernet0/1.ĪSA-1(config-if)# interface gigabitEthernet 0/7 INFO: security-level, delay and IP address are cleared on GigabitEthernet0/2.ĪSA-1(config-if)# interface gigabitEthernet 0/5ĪSA-1(config-if)# channel-group 10 mode active vss-id 2 INFO: security-level, delay and IP address are cleared on GigabitEthernet0/0. Do you still want to continue(y/n)? yĪSA Configuration takes place in three main phases:Ĭonfigure Data Interfaces ! Ports connecting to Switch-1ĪSA-1(config-if)# channel-group 10 mode active vss-id 1 This interface level command does not take effect until the next member link event(link down/up/no shutdown/shutdown). Switch-1(config-if)# port-channel port hash-distribution fixed Switch-1(config-if)# no lacp graceful-convergence Switch-1(config-if)# switchport mode trunk Switch-1(config-if)# description ASA-Cluster Switch-1(config)# interface port-channel 100 Switch-1(config-if-range)# desc ASA-2 Data Switch-1(config-if-range)# channel-group 100 mode active Switch-1(config-if-range)# description ASA-1 Data Now you’re done, check you Active/Standby status again, this should be the same as the first show failover command in this post.Switch-1(config)# interface ethernet 110/1/27-28 If your maintenance is finished, you should enable the failover mechanism again on the Standby node: firewall/stbyNoFailover(config)# failoverīeginning configuration replication from mate. We’re back on the Active unit and you can see the Secondary in Disabled where it was previously Standby Ready: firewall/act# show failover You can see on the output it adds NoFailover to the CLI prompt. By disabling failover, this unit will remain in standby state. INFO: This unit is currently in standby state. Now login to the Standby firewall and disable failover very easily via the no failover command in configuration mode: If is very useful to temporary disable the Failover mechanism so the Standby firewall stays Standby and you don’t end up in a situation where you have two Active firewalls.īelow is an example output of the show failover output of an ASA 5520: (only relevant information is shown in this output) firewall/act# show failoverįailover LAN Interface: failover GigabitEthernet0/1 (up) If you have a planned maintenance and you know you will hit your Failover LAN between two ASA’s in an Active/Standby configuration. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |