Instructions Cisco

ASA Clustering Deployment and
Troubleshooting Lab
LTRSEC-2740
Goran Saradzic and Per Hagen
Agenda
Overview (30min)
ASA Clustering Lab (3.5hrs)
Lab POD Access
Tasks divide into Router and Switch-based mechanisms
ASA clustering options
Equal Cost Multipath (ECMP)

1.
2.
3.
ASA Designs in Lab

Exercise workflow
Review, deploy, verify

Bring down one ASA
Measure convergence
Bring ASA back online
LT RSEC-2740
Stand-alone ASAs via OSPF

L3 / Individual Mode Cluster via OSPF
L3 / Individual Mode Cluster via IP SLA
Ether-Channel (ECLB)
2015 Cisco and/or its affiliates. All rights reserved.
4.
5.
L2 /Spanned Mode Cluster in Routed (OSPF to Master )

L2 / Spanned Mode Cluster in Transparent
Cisco Public
Achieving the Best Uptime for Your Applications

Ensuring service and application availability
Tolerance to failure continuing your critical client connections
Solution resiliency know your convergence times
Elastic scale and capacity easily address your future growth
Efficient management low complexity and overhead
Support for redundant locations ability to extend to multiple sites
Workload mobility with security migrate live apps across locations
Traffic normalization for NGFW and NGIPS services
LT RSEC-2740
Cisco Public
Realizing True Values of ASA Firewall Clustering

Scale to 16
Nodes
Simple Mgmt
State Sharing
CCL
One Master
One Config
LT RSEC-2740
Cisco Public
High Availability
Deployment Options
Overview of ASA cluster types, firewall and context modes
Must configure L2 spanned mode cluster to use Transparent firewall
L3 Individual mode requires Routed firewall
Multiple context mode works in both types of clustering
Load Balancing
Firew all Modes and Features
Transparent
Routed
Multiple Contexts
Individual Interface
L3 Method ECMP/ PBR
N/A*
Spanned Interface
L2 Method Ether-Channel LB
LT RSEC-2740
Cisco Public
Prep
Lab Portal
https://labops-out.cisco.com/labops/ilt
Using Class Name,

you will log in first
to add your profile
information, and
then log back in,
to access PODs.
LT RSEC-2740
Cisco Public
Prep
Pick a Pod
LT RSEC-2740
Cisco Public
Prep
Access your POD
LT RSEC-2740
Cisco Public
Prep
Lab Portal Diagram

Open RDP Session Only
ASA, Host, and CSR

sessions are auto-opened
in SuperPutty on the
JumpBox RDP
(see next slide)
.30
If needed, you can

increase the RDP
resolution size
appropriate to
your display.
10
LT RSEC-2740
Click to RDP
login:
Administrator
password:
stgscvt
Cisco Public
10
Prep
Lab Access Credentials

Access Lab Portal with your email and lab-ID, add profile, log back in
JumpBox RDP session (click from portal diagram)
RDP Login: administrator/stgscvt
Full screen makes it easier
ASAs, CSRs, and test hosts are open via SuperPutty shortcut, using credentials:
ASA console: enable password is cisco
CSR SSH: auto-login: admin/cisco
Linux host SSH: auto-login: user/cisco
LT RSEC-2740
Cisco Public
11
Login to All Devices via SuperPutty Shortcut

Once inside the Jumpbox RDP
ASA1
Enable Passwd: cisco
ASA2
Enable Passwd: cisco
CSR1
Login: admin/cisco
Inside Jumpbox, doubleclick on SuperPutty and

you will connect to
all devices through an
out-of-band management
network 172.16.1.0/24
CSR2
Login: admin/cisco
Inside-host
Login: user/cisco
Outside-host
Login: user/cisco
LT RSEC-2740
If any session times out,

re-login to all by
double-clicking on
ASA-CSR-ENDHOSTS
link within Layouts
Cisco Public
12
Prep
Auto-arranged & Auto-login terminals in SuperPutty

In the Jumpbox Double Click on a Shortcut
Prep
Reconnect via
Layouts
Double-click on
ASA-CSR-ENDHOSTS
Inside-host
(IP 10.10.140.30)
./client.iperf
CSR2
show ip route
terminal monitor
(to view log msgs)
CSR1
show ip route
terminal monitor
(to view log msgs)
Outside-host
(IP 172.16.2.44)
./server.iperf
ASA1
show route
show conn
Outside-host
(IP 172.16.2.44)
ping 10.10.140.30
ssh user@10.10.140.30
Inside-host
(IP 10.10.140.30)
ping 172.16.2.44
ssh user@172.16.2.44
ASA2
show route
show conn
LT RSEC-2740
Cisco Public
13
Prep
Open IE or Firefox
Home Page inside RDP
Before You Start, Reset Your Switch

Refresh the POD switch:
Open browser on jumpbox PC to Home Page preset to:

http://172.16.2.40/
Click on the link that says Reset to (initial state)
After 1min, Confirm successful reset as shown here
On this home page are links to bring down/up ASA ports
LT RSEC-2740
Cisco Public
14
Prep
Tasks 1-5
Two IP Paths
1. Stand-alone ASAs as two equal OSPF paths for CSRs
2. Move to L3 cluster with CSR OSPF ECMP
3. Switch to IP SLA, by removing OSPF on ASA L3 cluster
One IP Path over Ether-Channel Port Bundle

4. Move to L2 cluster in Routed mode with OSPF on cluster Master
5. L2 cluster in Transparent mode where CSRs peer directly
LT RSEC-2740
Cisco Public
15
Prep
Task Workflow Example

Inside
Outside
ASA1
CSR1
CSR2
Preview section shows an overview of

items followed by detailed slides
ASA2
Deploy CLI to change into new design
Tests section gives order of setup

tasks needed to complete the testing
Review ASA and CSR configurations
Open ping/ssh/UDP connections
Verify new topology with show outputs
Find which ASA owns connection
Proceed to test the new design
Down a path that owns test connections
Check for connection state recovery

Record measured convergence
LT RSEC-2740
Cisco Public
16
Asymmetric Traffic Flow without state sharing

Test
Conns
Success
UDP
PASS
ping
FAIL
ssh
FAIL
Inspected or Stateful
Connections traversing
ASAs
IP 1.1.1.2
Details
Down ASA2
Open Conns
Up ASA2
IP 1.1.2.2
ASA1
Inside
host
Outside
host
CSR1
CSR2
IP 1.1.2.3
IP 1.1.1.3
ASA2
iPerf UDP connections

are stateless and will
continue to work as both
ASAs will create an entry
in the connection table.
LT RSEC-2740
Steps
Task 1
Cisco Public
17
Ping and SSH will fail

now as forward and
return path of traffic
must come to the
same ASA
ASA Clustering Modes

Individual Interface Mode
Spanned Etherchannel Mode

Cluster members form etherchannel
Cluster members share IP, allow NSF
Each ASA has unique IP address

Adjacent routers use routing (PBR,
OSPF, ECMP)
Layer 3 Adjacent
Etherchannel
Cluster Control Link
Cluster Control Link
Etherchannel
Layer 3 Adjacent
Task 2 and 3
LT RSEC-2740
Task 4 and 5
Cisco Public
18
CSR1#sh ip route
Task 2 & 3
(snip)
O 172.16.2.0/24 [110/12] via 1.1.1.3, 00:07:41, Gig1
[110/12] via 1.1.1.2, 00:18:25, Gig1
CSR2#sh ip route
(snip)
O
10.10.140.0 [110/12] via 1.1.2.3, 00:10:58, Gig1
[110/12] via 1.1.2.2, 00:11:08, Gig1
Layer3 ASA Cluster Design

Router (IP routes) Load-balancing
Master
CCL via
switch
Routers Load-balance to ASAs

PBR or ECMP via OSPF, IP SLA
Inside
IP-A1
Tw o IP paths
IP-B1
ASA1
Cluster Control Link (CCL) used for:

Updating state info between ASAs
Rebalancing of asymmetric traffic
Outside
Tw o paths
CSR1
CSR2
IP-A2
IP-B2
ASA2
LT RSEC-2740
Protocol
Success
UDP
PASS
ping
PASS
ssh
PASS
Slave
ASA Indiv idual Interface Mode

Contexts run in Routed (IP hop)
Cisco Public
19
ASA 9.3 releases enabled

OSPF FastHellos, allowing faster
convergence on ASA failures.
Task 2 & 3
Layer 3 ASA Cluster Routed Firewall

Individual Interface Mode (ECMP)
Inside
VLAN 7
master/a/asa1(config)# sh run int Po1

interface Port-channel1
lacp max-bundle 8
slave/a/asa2(config)# sh run int Po1
interface Port-channel1
lacp max-bundle 8
Po1.7
.1 (.2)
Master
ASA1
Outside
VLAN 8
Po1.8
.1 (.2)
CCL
10.10.140.0/24
master/a/asa1(config)# exec clu sh port-c summ

Group Port-channel Protocol Span-cluste Ports
------+------------+--------+-----------+----1 Po1(U)
LACP
No
Gi0/2(P)
slave/a/asa2(config)# sh port-channel summary
1 Po1(U)
LACP
No
Gi0/2(P)
172.16.2.0/24
Po1
1.1.1.0/24
Inside
Host
CSR1
1.1.2.0/24
Outside
Host
CSR2
Po2
Lab-3750-x-switch#sh etherchannel summary
Each ASA unit peers independently

to neighbor routers and maintains its
ow n instance of the routing table.
CCL
Po1.7
(.3)
ASA2
Slave
LT RSEC-2740
Cisco Public
20
Po1.8
(.3)
Group Port-channel Protocol

Ports
------+-------------+-----------+---------1
Po1(SU)
LACP
Gi1/0/9(P)
2
Po2(SU)
LACP
Gi1/0/14(P)
Workf low:
(1) Open test connections
(2) Determine the connection owner
(3) Proceed to f ail the owner ASA
(4) Measure conv ergence
(5) Recov er down ASA
Testing Resiliency Task 2 & 3

Individual Interface Mode (Equal Cost Multi Path)
ASA1
UP
G0/2
Down
or
ASA2
UP
G0/2
ASA1
G0/3
ASA1
Down
UP
Down
or
Down
Test 3: Disable ASA node via

cluster CLI or dow n CCL port
Po1
Inside
Host
Outside
Host
CSR1
CSR2
Po2
Test 2: Simulate
ASA crash w ith
crashinfo force page-fault
CCL
ASA2
UP
G0/3
CCL
Test 1: Dow n ASA data port on the sw itch

for unit that ow ns TCP/UDP conns
LT RSEC-2740
ASA2
Cisco Public
21
Locating Owner ASA

ASA1
!master/a/admin(config)#
If UDP and TCP conns

are on different ASAs,
pick ASA with UDP
conn as owner, and
proceed to test.
changeto context admin
cluster exec show conn

asa1(LOCAL):**********************************************************
7 in use, 18 most used
Cluster stub connections: 1 in use, 2 most used
UDP outside
172.16.2.44:5001 inside
TCP outside
172.16.2.44:55505 inside
10.10.140.30:38842, idle 0:00:00, bytes 883470, flags 10.10.140.30:22, idle 0:01:01, bytes 0, flags
asa2:*****************************************************************
TCP outside
172.16.2.44:55505 inside
UDP outside
172.16.2.44:5001 inside
10.10.140.30:22, idle 0:01:01, bytes 3910, flags UIOB

10.10.140.30:38842, idle 0:00:00, bytes 0, flags Y
master/a/admin(config)#
LT RSEC-2740
Y flag means stub

or backup conn
Cisco Public
Active UDP
connection
22
Active TCP
connection
Measuring Convergence
Count (nan%)
UDP packets
that were lost,
and record in your
convergence table
Lost
Pkts/Secs
ping
9 (322-330)
UDP iPerf
9 (326-334)
ssh
N/A
ASA detects
that owner unit
went down
Count the
missed
PINGs
LT RSEC-2740
Protocol
Cisco Public
23
Layer 2 ASA Cluster Design

Switch (Ether-channel) Load-balancing
Task 4 & 5
CSR2# sh ip route
(snip)
Gateway of last resort is 172.16.2.1 to network 0.0.0.0
O
10.10.140.0 [110/12] via 1.1.2.1, 00:21:20, Gig1
Switch(s) load-balance traf f ic to ASAs

using Ether-Channel
C3750-X switch is used in this lab
Only the Master ASA unit peers to

neighboring routers and sync the
routing table to all Slave ASA units.
CCL
Switch
Inside
IP-A1
ASA1
Outside
IP-B1
CSR1
CSR2
ASA2
One IP path over

Ether-Channel Interface.
LT RSEC-2740
ASA Spanned Cluster Mode

ASA Context can run as Routed (IP hop) or
Transparent (Bridging VLANs) firewall.
* In Transparent, routers connect directly
Cisco Public
24
The latest ASA releases enabled

Non-Stop Forwarding, convergence
on ASA failures.
Task 4
Layer 2 ASA Cluster Routed Firewall

Spanned Interface (Ether-channel)
Master
Inside
VLAN 7
Po4.7
.1
ASA1
master/a/asa1(config)# sh port-channel summary

Group Port-channel Protocol Span-cluster Ports
-----+------------+--------+------------+-----2
Po2(U)
LACP
Yes
Gi0/0(P)
Gi0/1(P)
10.10.140.0/24
1.1.1.0/24
Outside
VLAN 8
Po4.8
.1
CCL
Lab-375 0-x# sh et herch annel summ ary

Group Port -chan nel Proto col
Po rts
------+ ---- ----- ----+ ----- ----- -+-- ----- ----- ---1
Po4(SU)
LACP
G i1/0/ 7(P) Gi1 /0/8( P)
Gi1/0/ 12(P ) Gi1 /0/13 (P)
172.16.2.0/24
Po4
1.1.2.0/24
Inside
Host
Outside
Host
CSR1
.200
.200
Po4
CCL
ASA2
Slave
LT RSEC-2740
Cisco Public
25
CSR2
Layer 2 ASA Cluster Transparent Firewall
Task 5
Spanned Interface (Ether-channel)

Master
Inside
VLAN 7
Po4.7
BVI1
ASA1
Po4.8
BVI1
Outside
VLAN 8
CCL
10.10.140.0/24
172.16.2.0/24
Po4
Inside
Host
Outside
Host
CSR1
1.1.1.200/16
1.1.2.200/16
Po4
CSR1#sh ip route ospf

O*E2
O
0.0.0.0/0 [110/1] via 1.1.2.200, 00:00:15, Gig1

172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
172.16.2.0/24 [110/2] via 1.1.2.200, 00:00:15, Gig1
CCL
ASA2
Slave
LT RSEC-2740
Cisco Public
26
CSR2
master/a/asa1(config)# sh run interface bvi1

interface BVI1
ip address 1.1.1.1 255.255.0.0
master/a/asa1/admin# sh mac -address-table
interface
mac address
type
Age(min) bridge-group
--------------------------------- -----------------------outside
0050.56bf.dbc2 dynamic
1
1
inside
0050.56bf.34b8 dynamic
5
1
Workf low:
(1) Open test connections
(3) Proceed to f ail the owner ASA
(4) Measure conv ergence
(5) Recov er down ASA
Testing Resiliency Task 4 & 5

Spanned Interface Mode (Ether-channel)
ASA1
UP
G0/0
Down
or
ASA2
UP
G0/0
ASA1
ASA1
Down
UP
G0/1
or
ASA2
UP
Down
G0/1
Down
CCL
Test 1A: Dow n 1st ASA port on the sw itch

Test 1B: Dow n 2nd ASA port on

Sw itch (w orst-case scenario)
Po4
Inside
Host
Outside
Host
CSR1
CSR2
Po4
G0/3
ASA1
UP
Test 2: Simulate
ASA crash w ith
CCL
ASA2
LT RSEC-2740
Cisco Public
27
Down
or
ASA2
UP

G0/3
Down
Task 1
Task 1: Stand-alone ASAs

Interna
l
Preview
IP 1.1.1.2
Tw o paths
IP 1.1.2.2
ASA1
External
Tw o paths
CSR1
CSR2
IP 1.1.1.3
Familiarize yourself with POD topology and

configurations
IP 1.1.2.3
ASA2
Tests
CSR1 and CSR2 load-balancing via OSPF
Down ASA2
Two paths provided by ASA1 and ASA2,
stand-alone firewalls NOT in failover or cluster Attempt connections between hosts
Verify OSPF routes on CSR1 to outside
Bring up downed ASA2
Verify OSPF routes on CSR2 to inside
Check if connections are still active

Attempt connections with two ASA
active
LT RSEC-2740
Cisco Public
28
Task 1
Stand-alone ASAs Diagram

ASA1
1.1.1.0/24
Inside
VLAN 7
Po1.7
(.2)
Outside
VLAN 8
Po1.8
(.2)
10.10.140.0/24
172.16.2.0/24
VLAN 15
VLAN 4
gig1
gig2
.30
Inside
host
1.1.2.0/24
Master
.200
.200
.44
Outside
host
Internal
CSR1
CSR2
Po2.7
(.3)
Po2.8
(.3)
ASA2
LT RSEC-2740
gig2
gig1
.200
.1
Cisco Public
29
External
Verify
CSR1 and CSR2 routes to two next-hop ASAs
CSR2
CSR1
!CSR1 OSPF routes
!CSR2 OSPF routes
!CSR1#
!CSR2#
sh ip route ospf
sh ip route ospf
(snip)
(snip)
O*E2
O*E2
0.0.0.0/0 [110/1] via 1.1.1.3, 00:00:28, GigabitEthernet1

[110/1] via 1.1.1.2, 00:10:23, GigabitEthernet1
10.0.0.0/24 is subnetted, 1 subnets

O
CSR2#
CSR1#
LT RSEC-2740
Cisco Public
10.10.140.0 [110/12] via 1.1.2.3, 00:01:02, GigabitEthernet1


O


O
0.0.0.0/0 [110/1] via 172.16.2.1, 3d14h, GigabitEthernet2


O
Task 1
30
ASA1 and ASA2 routes to CSRs
Verify
Task 1
ASA2
ASA1
!changeto context admin to show OSPF routes
!asa2#
!asa1#
!asa2/admin#
!asa1/admin#
sh route
sh route

C
1.1.1.0 255.255.255.0 is directly connected, inside
1.1.2.0 255.255.255.0 is directly connected, outside
172.16.1.0 255.255.255.0 is directly connected, mgmt
172.16.3.1 255.255.255.255 [110/12] via 1.1.2.200, 1:35:11, outside
O
172.16.3.1 255.255.255.255 [110/12] via 1.1.2.200, 1:35:58,
outside
172.16.2.0 255.255.255.0 [110/11] via 1.1.2.200, 1:35:11, outside
172.16.2.0 255.255.255.0 [110/11] via 1.1.2.200, 1:35:58, outside
10.10.140.0 255.255.255.0 [110/11] via 1.1.1.200, 1:35:11, inside
10.10.140.0 255.255.255.0 [110/11] via 1.1.1.200, 1:35:58, inside
O*E2 0.0.0.0 0.0.0.0 [110/1] via 1.1.2.200, 1:35:58, outside
O*E2 0.0.0.0 0.0.0.0 [110/1] via 1.1.2.200, 1:35:11, outside
asa2/admin#
asa1/admin#
LT RSEC-2740
Cisco Public
31
Remove 2 nd path b/t CSRs
Remove ASA2 Path

Open IE/Firefox
inside RDP
Shut down ASA2 data ports on Switch
To shutdown ASA2 ports on the switch, use browser home page on jumpbox PC,
pointing to link: http://172.16.2.40/
Disable ASA2
G0/3 port
Disable ASA2
G0/2 port
LT RSEC-2740
Task 1
Cisco Public
32
CSR1 and CSR2 routes to one ASA
Verify
One path between CSRs

CSR2
CSR1
!CSR1 OSPF routes
!CSR2 OSPF routes
!CSR1#
!CSR2#
sh ip route ospf
sh ip route ospf
(snip)
(snip)
O*E2
O*E2

Task 1

O

CSR2#
Cisco Public


O
CSR1#
LT RSEC-2740
33
Modify iPerf Run Time
Allow iPerf to run UDP throughout

duration of your lab
Task 1
InsideHost
#user@lubuntu:~$
cat client.iperf
iperf -u t 260 -i 1 -c 172.16.2.44 -b 0.0941m
user@lubuntu:~$
#Change t flag to 20000, to allow iPerf to send for 4 hours
#You can use your favorite UNIX editor installed, vi or pico
#This will allow you to run UDP traffic throughout duration of the lab
pico client.iperf
#Change to: -t 20000
#user@lubuntu:~$
cat client.iperf
iperf -u t 20000 -i 1 -c 172.16.2.44 -b 0.0941m
user@lubuntu:~$
LT RSEC-2740
Cisco Public
34
Change iPerf t flag to from 260 to 20000

iperf help
(snip)
-t, --time n
time in seconds to transmit for
(default 10 secs)
Task 1
Setup Test Connections

iPerf UDP packets sending from Inside to Outside Host
Inside-host
(IP 10.10.140.30)
./client.iperf
Outside-host
(IP 172.16.2.44)
./server.iperf
Inside-host
(IP 10.10.140.30)
ping 172.16.2.44
Outside-host
(IP 172.16.2.44)
ssh user@10.10.140.30
(passwd: cisco)
Ping Inside to Outside and SSH Outside to Inside

LT RSEC-2740
Cisco Public
35
Setup Test Conns Cont
Ping from inside to outside linux
Task 1
Start iPerf UDP flow

OutsideHos
t
InsideHost
#On top left terminal, ping to outside -lnx
#user@inside-lnx:~$
ping 172.16.2.44
PING 172.16.2.44 (172.16.2.44) 56(84) bytes of data.
#On top right terminal, Server listens and receives client UDP traffic
#user@outside-lnx:~$
Verify if you
can ping.
./server.iperf
------------------------------------------------------------
64 bytes from 172.16.2.44: icmp_req=1 ttl=62 time=1.61 ms
Server listening on UDP port 5001
Receiving 1470 byte datagrams

UDP buffer size:
Verify you can

receive UDP.
112 KByte (default)
#on bottom left terminal, start a 4min iperf UDP connection to outside -lnx
------------------------------------------------------------
#user@inside-lnx:~$
./client.iperf
Transfer
Bandwidth
Jitter
------------------------------------------------------------
[ ID] Interval
Datagrams
Client connecting to 172.16.2.44, UDP port 5001
11.5 KBytes
94.1 Kbits/sec
0.075 ms
Sending 1470 byte datagrams
3]
1.0- 2.0 sec
11.5 KBytes
94.1 Kbits/sec
0.087 ms
0/
8 (0%)
UDP buffer size:
3]
0.0- 2.5 sec
28.7 KBytes
94.1 Kbits/sec
0.083 ms
0/
20 (0% )
112 KByte (default)
3] local 172.16.2.44 port 5001 connected with 10.10.140.30 port 56904
3]
0.0- 1.0 sec
Lost/Total
0/
8 (0%)
-----------------------------------------------------------[
### When server is not receiving packets, output will show (-nan%)
[ ID] Interval
Transfer
3]
0.0- 1.0 sec
12.9 KBytes
106 Kbits/sec
3]
1.0- 2.0 sec
11.5 KBytes
94.1 Kbits/ sec
LT RSEC-2740
### You can count the number of seconds server could not receive packets
[ 3] 21.0-22.0 sec 0.00 Bytes 0.00 bits/sec
0.067 ms
0/
0 (-nan%)
0.067 ms
0/
0 (-nan%)
0.067 ms
0/
0 (-nan%)
Bandwidth
Cisco Public
36
Ssh from outside to inside linux
Setup Test Conn Cont
Task 1
OutsideHost
OutsideHost
#On bottom right terminal, open ssh connection outside to inside
#If this session locks up, it should drop out within 5min w/ error
user@outside-lnx:~$
user@lubuntu:~$ Write failed: Broken pipe
ssh -l user 10.10.140.30

user@10.10.140.30's password:
Verify you can

ssh b/t hosts
user@lubuntu:~$
#You can kill it by typing ~. w/ no single quotes
(snip)
#Then re-open it
Last login: Tue Nov 26 14:44:35 2013 from 172.16.2.44
user@outside-lnx:~$
user@inside-lnx:~$
ssh -l user 10.10.140.30

(snip)
user@inside-lnx:~$
LT RSEC-2740
Cisco Public
37
Enable 2nd path b/t CSRs
Re-enable ASA2
Open IE link
inside RDP
This will add asymmetry of traffic through ASAs
To shutdown ASA1 or ASA2 ports on the switch, use browser on jumpbox PC and
open link: http://172.16.2.40/
Enable ASA2
G0/2
Task 1
Enable ASA2
G0/3
Tw o paths
ASA1
CSR1
iPerf UDP connections

are stateless and will
continue to work as both
ASAs will create an entry
in the connection table.
Tw o paths
CSR2
ASA2
Ping and SSH will fail

now as forward and
return path of traffic
must come to the
same ASA
LT RSEC-2740
Cisco Public
38
CSR1 and CSR2 routes to two ASAs
Verify
CSR2
CSR1
!CSR1 OSPF routes
!CSR2 OSPF routes
!CSR1#
CSR2#
sh ip route ospf
sh ip route ospf
(snip)
(snip)
O*E2
O*E2


O
CSR2#
CSR1#
LT RSEC-2740
Cisco Public


O


O


O
Task 1
39
Task 1
Verify Test Connections

When traffic goes through two ASA not in a cluster
Inside-host
(IP 10.10.140.30)
Here we just send
packets
Protocol
Outside-host
(IP 172.16.2.44)
UDP traffic still being
received?
Task 1
Pass / Fail
ping
UDP iPerf
ssh
Outside-host
(IP 172.16.2.44)
ssh session still working?
Inside-host
(IP 10.10.140.30)
ping still working?
what traffic is not able to pass these stateful devices?

LT RSEC-2740
Cisco Public
40
Task 2
CCL
Task 2: L3 Cluster in OSPF

Preview
IP 1.1.1.2
Interna
l
IP 1.1.2.2
External
ASA1
IP 1.1.1.3
Form individual interface mode or L3

cluster
CSR1
IP 1.1.2.3
CSR2
Clear both ASA1 and ASA2 configurations

ASA2
Copy task2-system.cfg to ASA1 and watch it

become a master
Tests
Enter configuration on ASA2 slave via CLI and Open connections through cluster
watch it detect and sync config from master
Down ASA that owns the connection using
one of four failure scenarios
CSR1/CSR2 are still load-balancing via OSPF
Two paths provided by ASA1 and ASA2, now
maintain state as L3/Individual cluster
Check if any connections become

responsive
Verify OSPF routes on CSR1 to outside
Measure Convergence of connections
Verify OSPF routes on CSR2 to inside
Bring ports back Up and enable down ASA
LT RSEC-2740
Cisco Public
41
Task 2
Individual Cluster Diagram

ASA1
1.1.1.0/24
1.1.2.0/24
Master
Inside
VLAN 7
Po1.7
.1 (.2)
Po1.8
.1 (.2)
Master
10.10.140.0/24
Each ASA node has a

unique IP on inside and
outside VLANs.
Outside
VLAN 8
G0/3
.1
172.16.2.0/24
VLAN 15
VLAN 4
gig1
gig2
.30
Inside
host
2.2.2.0/24
gig2
gig1
.200
.1
.200
.200
CCL VLAN 25
Outside
host
Internal
CSR1
Po2.7
(.3)
CSR2
G0/3
.2
Slave
Po2.8
(.3)
mgmt_pool
Inside_pool
Outside_pool
172.16.1.2-172.16.1.10
1.1.1.2-1.1.1.10
1.1.2.2-1.1.2.10
ASA2
LT RSEC-2740
.44
Cisco Public
42
External
ASA1 is master, ASA2 is slave in Individual mode cluster
Enable the Cluster

ASA1
Task 2
ASA2
!Must enable and change to system context
!In system
!Feedback
context
from
clear
ASA2
cfg,
after
enable
enabling
cluster mode, and apply ASA2 cfg
changeto
system
asa2/a#(config)#ena
changeto system
config terminal
config terminal
ClusterDisabled/a(cfg-cluster)#
clear config
allCluster Master.
Detected
!Clear configuration on ASA1
no cluster
INFO:interface-mode
UC-IME is enabled, issuing 0 free TLS licenses for UC-IME
clusterBeginning
interface-mode
individual
force
configuration
replication
from Master .
clear config all
!Bring up
interface
for CCL
WARNING:
Removing
all contexts in the system
interface
GigabitEthernet0/3
Removing context 'admin' (7)... Done
sh cluster interface -mode

no cluster interface -mode
no shut
INFO: Admin context is required to get the interfaces
!Define***
cluster
group
Output
from config line 64, "arp timeout 14400"
clusterINFO:
groupAdmin
fw
context is required to get the interfaces
local-unit
asa2 from config line 65, "no arp permit-nonconnect..."
*** Output
!Force the change to individual mode

cluster interface-mode individual force
copy /noconfirm milan/task2 -system.cfg running-config
cluster-interface
GigabitEthernet0/3
ip 2.2.2.2
255.255.255.0
Creating context
'admin'... Done.
(8)
priority
20
*** Output from config line 68, "admin -context admin"
!If prompted, you MUST confirm Y for YES, remove these commands
console-replicate
1952 bytes copied in 5.220 secs (390 bytes/sec)
health-check
3
WARNING:holdtime
Skip fetching
the URL disk0:/a.cfg
clacp system-mac auto system-priority 1
copy /noconfirm milan/task2 -admin.cfg task2-admin.cfg
ClusterDisabled/a/asa1(config)#
enableCryptochecksum (changed): 0e8178ab 18e3d553 aabeee98 f2192418

! ASA2 will
detect the Master,
sync config,
and become a Slave unit
End configuration
replication
from Master.
!Detected Cluster Master.
!Now wait 1 min for ASA1 to become Master through election process
!Cluster unit asa1 transitioned from DISABLED to MASTER
!Save configuration on Master
!Cluster
unit asa2
from DISABLED
to SLAVE
Cluster
unit transitioned
asa2 transitioned
from DISABLED
to SLAVE
write memory all
!Save configuration on Slave

write memory all
LT RSEC-2740
Cisco Public
43
Review and Verify
ASA nodes in cluster and OSPF routes
ASA1
Task 2
ASA1
!ASA1 i s Ma ster and A SA2 i s Sla ve
!Verify OSPF relationships to CSRs from admin context
!master /a/a sa1(c onfig )#

!
sh clus ter inf

Cluster fw: On
sh run router
Int erfa ce mo de: i ndivi dual
!Verify configuration Output
Thi s is "asa 1" in stat e MAS TER
router ospf 1
ID
: 0
network 1.1.1.0 255.255.255.0 area 0
Ver sion
: 9 .3(2)
network 1.1.2.0 255.255.255.0 area 0
Ser ial N o.: F CH161 07JEN
timers pacing lsa-group 10
CCL IP
: 2 .2.2. 1
timers throttle spf 100 200 1000
CCL MAC
: 5 057.a 8e1.4 8a4
log-adj-changes
(snip)
Other m embe rs in the clust er:
Uni t "a sa2" in st ate S LAVE
sh route ospf
ID
: 1
(snip)
Ver sion
: 9 .3(2)
Ser ial N o.: F CH161 07JG9
O*E2
CCL IP
: 2 .2.2. 2
10.10.140.0 255.255.255.0 [110/11] via 1.1.1.200, 00:23:06, inside
CCL MAC
: c 464.1 339.9 b07
172.16.2.0 255.255.255.0 [110/11] via 1.1.2.200, 00:23:06, outside
172.16.3.1 255.255.255.255 [110/12] via 1.1.2.200, 00:23:06, outside
(snip)
!master /a/a sa1(c onfig )#
LT RSEC-2740
Cisco Public
44
0.0.0.0 0.0.0.0 [110/1] via 1.1.2.200, 00:23:06, outside
CSR1 and CSR2 routes to two ASAs
Verify
CSR2
CSR1
!CSR1 OSPF routes
!CSR2 OSPF routes
!CSR1#
!CSR2#
sh ip route ospf
sh ip route ospf
(snip)
(snip)
O*E2
O*E2


O
CSR2#
CSR1#
LT RSEC-2740
Cisco Public


O


O


O
Task 2
45
Task 2

Inside-host
(IP 10.10.140.30)
./client.iperf
Outside-host
(IP 172.16.2.44)
./server.iperf
Inside-host
(IP 10.10.140.30)
ping 172.16.2.44
Outside-host
(IP 172.16.2.44)
ssh user@10.10.140.30
(passwd: cisco)
Ping Inside to Outside and SSH Outside to Inside

LT RSEC-2740
Cisco Public
46
Setup Test Conns Output

InsideHost
Ping from inside to outside linux
Task 2
Start iPerf UDP flow
OutsideHost
#In first terminal, watch the ping to OutsideHost
#user@outside-lnx:~$
#user@inside-lnx:~$
./server.iperf
ping 172.16.2.44
------------------------------------------------------------
PING 172.16.2.44 (172.16.2.44) 56(84) bytes of data.
Server listening on UDP port 5001
Receiving 1470 byte datagrams
UDP buffer size:
112 KByte (default)
-----------------------------------------------------------#In second terminal, start iperf UDP connection to OutsideHost
user@inside-lnx:~$
Transfer
Bandwidth
Jitter
./client.iperf
[ ID] Interval
Datagrams
------------------------------------------------------------
3]
0.0- 1.0 sec
11.5 KBytes
94.1 Kbits/sec
0.075 ms
0/
Client connecting to 172.16.2.44, UDP port 5001
3]
1.0- 2.0 sec
11.5 KBytes
94.1 Kbits/sec
0.087 ms
0/
8 (0%)
Sending 1470 byte datagrams
3]
0.0- 2.5 sec
28.7 KBytes
94.1 Kbits/sec
0.083 ms
0/
20 (0% )
UDP buffer size:
8 (0%)
### Again, when server is not receiving packets, output will show (-nan%)
### You can count the number of seconds server could not receive packets
0.067 ms
0/
0 (-nan%)
0.067 ms
0/
0 (-nan%)
0.067 ms
0/
0 (-nan%)
[ ID] Interval
Transfer
3]
0.0- 1.0 sec
12.9 KBytes
106 Kbits/sec
3]
1.0- 2.0 sec
11.5 KBytes
94.1 Kbits/ sec
LT RSEC-2740
Lost/Total
112 KByte (default)
-----------------------------------------------------------[
Bandwidth
Cisco Public
47
Ssh from outside to inside linux
Setup Test Conns

OutsideHost
!user@outside-lnx:~$
ssh -l user 10.10.140.30
!user@10.10.140.30's password : (cisco is the password)
(snip)

user@inside-lnx:~$
# This will serve to measure how long it takes for TCP connection to recover
# Enter a single character on this session during convergence to notice when session recovers
# If you enter more output on
LT RSEC-2740
this session, TCP backoff mechanism will
Cisco Public
48
Task 2
Locate Owner ASA
Locate conn owner ASA
Task 2
You will next down ASA that owns most connections
ASA1

pick ASA with UDP
conn as owner, and
proceed to test.
cluster exec sh conn

asa1(LOCAL):**********************************************************

UDP outside
172.16.2.44:5001 inside
TCP outside
172.16.2.44:55505 inside
10.10.140.30:38842, idle 0:00:00, bytes 883470, flags 10.10.140.30:22, idle 0:01:01, bytes 0, flags y
asa2:*****************************************************************

TCP outside
172.16.2.44:55505 inside
UDP outside
172.16.2.44:5001 inside

LT RSEC-2740
Y flag means stub

or backup conn
Cisco Public
Active UDP
connection
49
Active TCP
connection
Task 2
Testing Resiliency Summary

Individual Mode (ECMP) Proceed to next slide for detailed instructions
ASA1
UP
G0/2
Down
or
ASA2
UP
G0/2
ASA1
G0/3
ASA1
Down
UP
Down
or
Down

Po1
Inside
Host
Outside
Host
CSR1
CSR2
Po2
Test 2: Simulate
ASA crash w ith
CCL
ASA2

(2) Shut down the port on owner ASA
UP
G0/3
CCL
Test 1: Dow n 1st ASA port on the sw itch

LT RSEC-2740
ASA2
Cisco Public
50
Task 2
Verify Test Connections are up

Measure connection convergence of each test: 1A, 1B, 2, and 3
Inside-host
(IP 10.10.140.30)
Still sending packets
./client.iperf
Outside-host
(IP 172.16.2.44)
UDP packets arriving?
./server.iperf
Outside-host
(IP 172.16.2.44)
ssh -l user 10.10.140.30
Inside-host
(IP 10.10.140.30)
ping still working?
Ping 172.16.2.44
after locating ASA unit that owns your connections.

LT RSEC-2740
Cisco Public
51
Remove the data port on owner ASA
Test 1
Protocol
Task 1
Lost
Pkts/Secs
Observe and record if any packets were lost and

if there was any impact on SSH session
Open IE/Firefox
inside RDP
ping
UDP iPerf
ssh
Disable ASA
G0/2 port
LT RSEC-2740
Task 2
Cisco Public
52
Measure
Count how many UDP packets you lost
Task 2
Count how many ping packets were lost
Count (nan%)
UDP packets
that were lost,
and record in your
convergence table
Compare PING
req counts
to find lost
pkt count
LT RSEC-2740
Cisco Public
53
Recover Down ASA
Up or no shut G0/2 port on down ASA
Task 2
Enable cluster config on down ASA to add it the

cluster immediately
Down ASA
Enable ASA
G0/2 port
! Re-join approriate ASA unit

changeto system
config terminal
!Define cluster group
cluster group fw
enable
!Wait for ASA to detect master, finish sync, and become a Slave unit
!Cluster unit asa2 transitioned from DISABLED to SLAVE
Down ASA may retry to

join after 5min on its
own, but will only
transition to SLAVE
after G0/2 is enabled
LT RSEC-2740
Cisco Public
54
Task 2

Inside-host
(IP 10.10.140.30)
Restart if needed
./client.iperf
Outside-host
(IP 172.16.2.44)
./server.iperf
Outside-host
(IP 172.16.2.44)
ssh -l user 10.10.140.30
Inside-host
(IP 10.10.140.30)
ping still working?
Ping 172.16.2.44

LT RSEC-2740
Cisco Public
55
Locate Owner ASA
Task 2
ASA1

pick ASA with UDP
conn as owner, and
proceed to test.

asa1(LOCAL):**********************************************************

UDP outside
172.16.2.44:5001 inside
TCP outside
172.16.2.44:55505 inside
asa2:*****************************************************************

TCP outside
172.16.2.44:55505 inside
UDP outside
172.16.2.44:5001 inside

LT RSEC-2740
Y flag means stub

or backup conn
Cisco Public
Active UDP
connection
56
Active TCP
connection
Test 2
Simulate a crash on owner ASA
Task 2

Owner ASA
! Write configs and simulate ASA crash
write memory all
crashinfo force page -fault
!ASA will boot, detect master, perform sync, and become a
Slave unit
Simulate crash
on owner ASA
Protocol
Crash owner
ASA w/ CLI
ping
UDP iPerf
ssh
LT RSEC-2740
Cisco Public
57
Task 2
Lost
Pkts/Secs
Measure
Task 2
Count (nan%)
UDP packets
that were lost,
and record in your
convergence table
ASA detects
that owner unit
went down
LT RSEC-2740
Cisco Public
58
Crashed ASA Re-joins
LT RSEC-2740
Cisco Public
After reboot, unit rejoins cluster
Task 2
Detects master, syncs config, and becomes a

slave unit
59
Task 2

Inside-host
(IP 10.10.140.30)
Restart if needed
./client.iperf
Outside-host
(IP 172.16.2.44)
./server.iperf
Outside-host
(IP 172.16.2.44)
ssh -l user 10.10.140.30
Inside-host
(IP 10.10.140.30)
ping still working?
Ping 172.16.2.44

LT RSEC-2740
Cisco Public
60
Locate Owner ASA
Task 2
ASA1

pick ASA with UDP
conn as owner, and
proceed to test.

asa1(LOCAL):**********************************************************

UDP outside
172.16.2.44:5001 inside
TCP outside
172.16.2.44:55505 inside
asa2:*****************************************************************

TCP outside
172.16.2.44:55505 inside
UDP outside
172.16.2.44:5001 inside

LT RSEC-2740
Y flag means stub

or backup conn
Cisco Public
Active UDP
connection
61
Active TCP
connection
ASA1 and ASA2 routes to CSRs
Lets try shorter dead-intervals
CSR2
CSR1
!change spf dead-interval from 30sec to 3sec
!CSR1#
!CSR1#
interface GigabitEthernet1
ip ospf dead-interval 3
ip ospf dead-interval 3
ASA
Master
ASA
Master
!Verify OSPF routes
!master/a/asa1/admin(config)#
sh route ospf
interface inside
(snip)
ospf dead-interval 3
O*E2
interface outside
10.10.140.0 255.255.255.0 [110/11] via 1.1.1.200, 00:14:37, inside
ospf dead-interval 3
172.16.2.0 255.255.255.0 [110/11] via 1.1.2.200, 00:15:19, outside
172.16.3.1 255.255.255.255 [110/12] via 1.1.2.200, 00:15:19, outside
LT RSEC-2740
Cisco Public
0.0.0.0 0.0.0.0 [110/1] via 1.1.2.200, 00:15:19, outside
62
Task 2
Test 3
Protocol
Shutdown the CCL port on owner ASA

Task 3
Lost
Pkts/Secs
ping
UDP iPerf
ssh
Disable ASA
CCL port
LT RSEC-2740
Task 2
Cisco Public
63
Measure
Task 2
Count (nan%)
UDP packets
that were lost,
and record in your
convergence table
Count the
missed
PINGs
LT RSEC-2740
ASA detects
that owner unit
went down
Cisco Public
64
Up the CCL port on down ASA
Recover Down ASA
Task 2
Enable cluster group to immediately add ASA to

the cluster
Down ASA
changeto system
config terminal
cluster group fw
enable
Enable ASA
CCL port
LT RSEC-2740
Cisco Public
65
Task 3
CCL
Task 3: L3 Cluster in IP SLA
IP 1.1.1.2
Interna
l
IP 1.1.2.2
IP 1.1.1.3
Preview
External
ASA1
IP 1.1.2.3
CSR1
CSR2
Stay in L3 or individual interface mode and

proceed to applying Task 3 CLI.
ASA2
Remove OSPF config on ASA master only
Tests
Check IP SLA configs on CSRs
Open test connections through cluster
CSR1 and CSR2 still load-balancing but now

via IP SLA tracks
Down ASA that owns the connection
Two paths still there with ASA1 and ASA2, still

maintain state as L3/Individual cluster
Verify IP SLA routes on CSR1 to outside
Verify IP SLA routes on CSR2 to inside
LT RSEC-2740
Cisco Public
66
Check when the connection state active

Measure convergence
Task 3
Individual Cluster Diagram

ASA1
1.1.1.0/24
1.1.2.0/24
Master
Inside
VLAN 7
Po1.7
.1 (.2)
Po1.8
.1 (.2)
Master
10.10.140.0/24
Each ASA node has a

unique IP on inside and
outside VLANs.
Outside
VLAN 8
G0/3
.1
172.16.2.0/24
VLAN 15
VLAN 4
gig1
gig2
.30
Inside
host
2.2.2.0/24
gig2
gig1
.200
.1
.200
.200
CCL VLAN 25
Outside
host
Internal
CSR1
Po2.7
(.3)
CSR2
G0/3
.2
Slave
Po2.8
(.3)
mgmt_pool
Inside_pool
Outside_pool
172.16.1.2-172.16.1.10
1.1.1.2-1.1.1.10
1.1.2.2-1.1.2.10
ASA2
LT RSEC-2740
.44
Cisco Public
67
External
CSR1 and CSR2 OSPF routes to two ASAs
Verify
CSR2
CSR1
!CSR1 OSPF routes
!CSR2 OSPF routes
!CSR1#
!CSR2#
sh ip route ospf
sh ip route ospf
(snip)
(snip)
O*E2
O*E2


O
CSR2#
CSR1#
LT RSEC-2740
Cisco Public


O


O


O
Task 3
68
On Master ASA remove OSPF
CLI
ASA
Master
ASA
Master
!ASA1 i n th is ca se is Mast er
!Verify master routing relationships to host networks
master/ a/as a1(co nfig) # sh clu i nf | i st ate
!
Thi s is "asa 1" in stat e MAS TER

Uni t "a sa2" in st ate S LAVE
show route
master/ a/as a1(co nfig) #
!Change to admin cont ext
changet o co ntext admi n
10.10.140.0 255.255.255.0 [200/0] via 1.1.1.200, inside
!master /a/a dmin( confi g)#
S*
0.0.0.0 0.0.0.0 [200/0] via 1.1.2.200, outside
sh run rout er
master/a/asa1/admin(config)#
!ASA2 Slave
router ospf 1
!slave/a/asa2/admin(config)#
networ k 1. 1.1.0 255. 255.2 55.0 area 0
sh route
networ k 1. 1.2.0 255. 255.2 55.0 area 0
timers spf 1 1
timers lsa -grou p-pac ing 1
log-ad j-ch anges
10.10.140.0 255.255.255.0 [200/0] via 1.1.1.200, inside
S*
0.0.0.0 0.0.0.0 [200/0] via 1.1.2.200, outside
master/ a/ad min(c onfig )#

changet o co ntext admi n
slave/a/asa2/admin(config)#
no rout er o spf 1
LT RSEC-2740
Cisco Public
69
Task 3
CSR1 and CSR2 static routes to two ASAs
Verify
CSR2
CSR1
!CSR1 IP SLA routes
!CSR2 IP SLA routes
!CSR1#
!CSR2#
sh ip route
sh ip route
(snip)
(snip)
S*
O*E2
0.0.0.0/0 [200/0] via 1.1.1.3

[200/0] via 1.1.1.2
1.1.1.0/24 is directly connected, GigabitEthernet1


C
Task 3
1.1.1.0/24 [200/0] via 1.1.2.3

[200/0] via 1.1.2.2

CSR1#
10.10.140.0 [200/0] via 1.1.2.3

[200/0] via 1.1.2.2

C
CSR2#
LT RSEC-2740
Cisco Public
70
Task 3

Inside-host
(IP 10.10.140.30)
Restart if needed
./client.iperf
Outside-host
(IP 172.16.2.44)
./server.iperf
Outside-host
(IP 172.16.2.44)
ssh -l user 10.10.140.30
Inside-host
(IP 10.10.140.30)
ping still working?
Ping 172.16.2.44

LT RSEC-2740
Cisco Public
71
Locate Owner ASA
You will then do test 1 with this owner ASA
ASA1
asa1(LOCAL):**********************************************************
UDP outside
172.16.2.44:5001 inside
TCP outside
172.16.2.44:58952 inside
asa2:*****************************************************************

TCP outside
172.16.2.44:58952 inside
UDP outside
172.16.2.44:5001 inside

10.10.140.30:60810, idle 0:00:14, bytes 0, flags -Y
LT RSEC-2740
Task 3
Cisco Public
72
Task 3
Testing Resiliency of ASA Cluster Designs

Individual Mode (ECMP)
ASA1
UP
G0/2
Down
or
ASA2
UP
G0/2
ASA1
G0/3
ASA1
Down
UP
Down
or
Down

Po1
Inside
Host
Outside
Host
CSR1
CSR2
Po2
Test 2: Simulate
ASA crash w ith
CCL
ASA2

UP
G0/3
CCL
Test 1: Dow n 1st ASA port on the sw itch

LT RSEC-2740
ASA2
Cisco Public
73
Remove the data port on owner ASA
Test 1
Protocol
Task 1
Lost
Pkts/Secs

Open IE/Firefox
inside RDP
ping
UDP iPerf
ssh
Disable ASA
G0/2 port
LT RSEC-2740
Task 3
Cisco Public
74
Measure
Task 3
Count (nan%)
UDP packets
that were lost,
and record in your
convergence table
Count the
missed
PINGs
LT RSEC-2740
ASA detects
that owner unit
went down
Cisco Public
75
CSR1 and CSR2 have one route to ASA
Verify
Task 3
CSR2
CSR1
!CSR1 IP SLA routes
!CSR2 IP SLA routes
!CSR1#
!CSR2#
sh ip route
sh ip route
(snip)
(snip)
S*
O*E2
0.0.0.0/0 [200/0] via 1.1.1.3


1.1.1.0/24 [200/0] via 1.1.2.3
CSR1#
10.10.140.0 [200/0] via 1.1.2.3

CSR2#
LT RSEC-2740

Cisco Public
76
Recover Down ASA
Up or no shut G0/2 port on down ASA
Task 3

cluster immediately
Down ASA
Enable ASA
G0/2 port

changeto system
config terminal
cluster group fw
enable
LT RSEC-2740
Cisco Public
77
Locate Owner ASA
ASA1
asa1(LOCAL):**********************************************************
UDP outside
172.16.2.44:5001 inside
TCP outside
172.16.2.44:58952 inside
asa2:*****************************************************************

TCP outside
172.16.2.44:58952 inside
UDP outside
172.16.2.44:5001 inside

LT RSEC-2740
Task 3
Cisco Public
78
Test 2
Simulate a crash on owner ASA
Task 3

Owner ASA
changeto system
write memory all
crashinfo force page -fault
!Wait for ASA to boot up, detect master, finish sync, and
become a Slave unit
Simulate crash
on owner ASA
Protocol
Crash owner
ASA w/ CLI
ping
UDP iPerf
ssh
LT RSEC-2740
Cisco Public
79
Task 2
Lost
Pkts/Secs
Measure
Task 3
Count (nan%)
UDP packets
that were lost,
and record in your
convergence table
ASA crashes
Count the
missed
PINGs
LT RSEC-2740
Cisco Public
80
Crashed ASA Re-joins
LT RSEC-2740
Cisco Public
After reboot, unit rejoins cluster
Task 3
Detects master, syncs config, and becomes a

slave unit
81
Task 3

Inside-host
(IP 10.10.140.30)
Restart if needed
./client.iperf
Outside-host
(IP 172.16.2.44)
./server.iperf
Outside-host
(IP 172.16.2.44)
ssh -l user 10.10.140.30
Inside-host
(IP 10.10.140.30)
ping still working?
Ping 172.16.2.44

LT RSEC-2740
Cisco Public
82
Locate Owner ASA
ASA1
asa1(LOCAL):**********************************************************
UDP outside
172.16.2.44:5001 inside
TCP outside
172.16.2.44:58952 inside
asa2:*****************************************************************

TCP outside
172.16.2.44:58952 inside
UDP outside
172.16.2.44:5001 inside

LT RSEC-2740
Task 3
Cisco Public
83
Test 3
Protocol
Shutdown the CCL port on owner ASA

Task 3
Lost
Pkts/Secs
ping
UDP iPerf
ssh
Disable ASA
CCL port
LT RSEC-2740
Task 3
Cisco Public
84
Measure
Task 3
Count (nan%)
UDP packets
that were lost,
and record in your
convergence table
ASA switches
to Master role
Count the
missed
PINGs
LT RSEC-2740
Cisco Public
85
Recover Down ASA
Up or no shut CCL port on down ASA
Task 3

cluster immediately
Down ASA
Enable ASA
CCL port

changeto system
config terminal
cluster group fw
enable
LT RSEC-2740
Cisco Public
86
Task 3*
CCL
Task 3 Bonus*: Add PAT
IP 1.1.1.2
IP 1.1.2.2
(optional)
Interna
l
IP 1.1.1.3
Preview
External
ASA1
IP 1.1.2.3
CSR1
CSR2
This is a bonus task that involves ASA and

CSR configuration changes.
ASA2
Add Port Address Translation to outside

interface of ASA L3 cluster with IP SLA.
Tests
Add equal cost routes for new PAT network

on CSR2.
Open a ssh connection through cluster
Check when connection state is active
Verify IP SLA routes on CSR2 for PAT pool

network
LT RSEC-2740
Cisco Public
No need to reopen the connection
87
ASA PAT config
CLI
CSR2 routes to PAT network on ASA
CSR2
!CSR2
config terminal
ASA
Master
ip route 1.1.3.0 255.255.255.0 1.1.2.2 200 track 1

ip route 1.1.3.0 255.255.255.0 1.1.2.3 200 track 2
!ASA master
CSR2# show ip route
master/a/asa1(config)#
(snip)
S
1.1.3.0/24 [200/0] via 1.1.2.3
[200/0] via 1.1.2.2
config terminal
object network pat-ips
OutsideHost
range 1.1.3.2 1.1.3.3

object network inside-network
subnet 10.10.140.0 255.255.255.0
!Must add routed on outside linux to new network
sudo route add -net 1.1.3.0/24 gw 172.16.2.200
[sudo] password for user : cisco
nat (inside,outside) dynamic pat -pool pat-ips
LT RSEC-2740
user@lubuntu:~$
Cisco Public
88
Task 3*
Setup Test Connections with Xlates
Task 3*

Outside-host
(IP 172.16.2.44)
./server.iperf
Inside-host
(IP 10.10.140.30)
./client.iperf
Outside-host
(IP 172.16.2.44)
Can not go to inside now
without a static NAT
Inside-host
(IP 10.10.140.30)
ping 172.16.2.44 or
Ssh user@172.16.2.44
Ping and SSH Inside to Outside

LT RSEC-2740
Cisco Public
89
Show conns and xlates on ASA cluster
Verify translations
Task 3*
ASA
Master
ASA
Master
! You can also try show conn detail to decode the flags
cluster exec sh xlate

asa2(LOCAL):**********************************************************
asa2(LOCAL):**********************************************************
TCP outside 172.16.2.44:22 inside
bytes 0, flags Y
UDP outside 172.16.2.44:5001 inside
bytes 2072700, flags -
ICMP outside 172.16.2.44:0 inside

5432, flags
TCP PAT from inside:10.10.140.30/41221 to outside:1.1.3.2/41221 flags

ri idle 0:00:11 timeout 0:00:30
10.10.140.30:41221, idle 0:00:29,
UDP PAT from inside:10.10.140.30/49741 to outside:1.1.3.3/49741 flags

10.10.140.30:49741, idle 0:00:00,
ICMP PAT from inside:10.10.140.30/6300 to outside:1.1.3.3/6300 flags

10.10.140.30:6300, idle 0:00:00, bytes
asa1:*****************************************************************
asa1:*****************************************************************


bytes 5286, flags UxIO
UDP outside 172.16.2.44:5001 inside
bytes 0, flags Y

0, flags Y
LT RSEC-2740
UDP PAT from inside:10.10.140.30/49741 to outside:1.1.3.3/49741 flags

10.10.140.30:41221, idle 0:00:29,
ICMP PAT from inside:10.10.140.30/6300 to outside:1.1.3.3/6300 flags

10.10.140.30:49741, idle 0:00:00,
10.10.140.30:6300, idle 0:00:00, bytes
Cisco Public
90
Remove PAT
Remove PAT and route configs for now
Later in spanned, you will again add new PAT config
ASA
Master
CSR2
config terminal
config terminal
no ip route 1.1.3.0 255.255.255.0 1.1.2.2 200 track 1
no ip route 1.1.3.0 255.255.255.0 1.1.2.3 200 track 2
no nat (inside,outside) dynamic pat -pool pat-ips
exit
write memory
LT RSEC-2740
Task 3*
Cisco Public
91
Task 4
CCL
Task 4: L2 Cluster in Routed
IP 1.1.1.1
Interna
l
Preview
CSR1
One path
Switch now load-balances under one IP path

Review CSR and ASA OSPF config
ASA1 and ASA2 in L2/Spanned cluster,

continue to maintain state in Routed Firewall
CSR2
ASA2
Tests

Measure convergence
Bring Up downed ASA
Verify one IP route on CSR1 to outside

Verify one IP route on CSR2 to inside
Cisco Public
One hop
Ensure dead-intervals match (should be 3sec)
External
ASA1
Switch to L2 or spanned interface mode by

moving ASA port-channel to ports assigned for
spanned mode and applying Task 4 CLI.
LT RSEC-2740
IP 1.1.2.1
92
Task 4
ASA Spanned / Routed Cluster Diagram

Master
1.1.2.0/24
1.1.1.0/24
Master
Inside
VLAN 7
G0/0
VLAN 15
gig1
gig2
Inside
host
G0/1
ASA1
10.10.140.0/24
.30
ASA cluster nodes share

the same IP for inside
and outside VLANs.
Outside
VLAN 8
.1
.200
172.16.2.0/24
VLAN 4
G0/3
.1
Po4.7
.1
gig1
gig2
.200
.200
Po4.8
.1
Outside
host
Internal
G0/3
.2
CSR1
CSR2
mgmt_pool
172.16.1.2-172.16.1.10
G0/0
G0/1
ASA2
Slave
CCL
VLAN 25
IP pool needed only for

management interface
LT RSEC-2740
2.2.2.0/24
Cisco Public
93
.44
External
Disable clustering feature on both units
CLI
Task 4
And prep ASAs to change mode to Spanned cluster

ASA2
ASA1
! Disable clustring on ASA1 unit
! Disable clustring on ASA2 unit
changeto system
changeto system
config terminal
config terminal
cluster group fw
cluster group fw
no enable
no enable
! Cluster disable is performing cleanup..done.
! Cluster disable is performing cleanup..done.
!All data interfaces have been shutdown due to clustering being disabled.
To recover either enable clustering or remove cluster group configuration.
!All data interfaces have been shutdown due to clustering being

disabled. To recover either enable clustering or remove cluster group
configuration.
Cluster unit asa1 transitioned from MASTER to DISABLED

Cluster unit asa2 transitioned from SLAVE to DISABLED
ClusterDisabled/a/asa1(cfg-cluster)#
ClusterDisabled/a/asa2(cfg -cluster)#
LT RSEC-2740
Cisco Public
94
Clear then re-apply L2 cluster configs
CLI
Task 4
Review changes needed to move

ASA2
ASA1
! Execute CLI to convert to L2 or Spanned interface mode
! Clear ASA2 unit and convert it to L2 Spanned interface mode
changeto system
changeto system
config term
config terminal
clear config all
clear config all
cluster interface-mode spanned force
cluster interface-mode spanned force
!WARNING: Cluster interface -mode is changed to 'spanned' without(snip)
!Bring up interface for CCL

interface GigabitEthernet0/3
no shut
copy /noconfirm milan/task4 -system.cfg running-config

!MUST confirm Y for YES, remove these commands and wait to finish sync
!Wait 1 min for ASA1 unit to become Master
cluster group fw
!Cluster unit asa1 transitioned from DISABLED to MASTER
Execute ASA2 CLI after

ASA1 loads config and
becomes Master
local-unit asa2
cluster-interface GigabitEthernet0/3 ip 2.2.2.2 255.255.255.0
priority 20
console-replicate
health-check holdtime 3
clacp system-mac auto system-priority 1
enable
!Wait for ASA2 to detect master, finish sync, and become a Slave unit
LT RSEC-2740
Cisco Public
95
Review cluster state and port-channel
Verify
ASA1
Master
ASA1
Master
!master/a/asa1#
!master/a/asa1#
changeto system
show cluster info
cluster exec show port-channel summary
Cluster fw: On
Interface mode: spanned
This is "asa1" in state MASTER
ID
: 0
Version
: 9.3(2)
Serial No.: FCH16097J8X
CCL IP
: 2.2.2.1
CCL MAC
: c464.1339.1841
Last join : 18:43:37 UTC Jan 14 2015
Last leave: N/A
Other members in the cluster:
Unit "asa2" in state SLAVE
ID
: 1
Version
: 9.3(2)
Serial No.: FCH16097J78
CCL IP
: 2.2.2.2
CCL MAC
: c464.1339.1481
Last join : 19:17:36 UTC Jan 14 2015
Last leave: N/A
master/a/asa1(config)#
LT RSEC-2740
Task 4
asa1(LOCAL):**********************************************************
Group
Port-channel
Protocol
Span-cluster
Ports
------+-------------+---------+------------+--------------2
Po2(U)
LACP
Yes
Gi0/0(P)
Gi0/1(P)
asa2:*****************************************************************
Group
Port-channel
Protocol
Span-cluster
Ports
------+-------------+---------+------------+--------------2
Po2(U)
LACP
Yes
Gi0/0(P)
!master/a/asa1#
!Notice that Non-Stop Forwarding is enabled for ASA now
show run router
Cisco Public
96
Gi0/1(P)
Verify one IP path through cluster from CSRs
Verify CSR Routes
Where are my OSPF routes? Hmmm.

Do my dead-intervals match?
CSR1
CSR2
CSR1#
Task 4
Are your routes missing? Make sure to

sync up Masters OSPF dead-interval to
what you setup on CSRs in the Task 2.
CSR2#
sh ip route
sh ip route

O*E2
O*E2
O
C
L

C
O
C
L
O
CSR2#

C

O
CSR1#
LT RSEC-2740
Cisco Public
97

Task 4
For each Test, observe and record packets lost for UDP and PING, and manually
Inside-host
(IP 10.10.140.30)
Still sending packets
./client.iperf
Outside-host
(IP 172.16.2.44)
./server.iperf
Outside-host
(IP 172.16.2.44)
Type one char and wait
ssh -l user 10.10.140.30
Inside-host
(IP 10.10.140.30)
ping still working?
Ping 172.16.2.44
Measure connection convergence of each test: 1A, 1B, 2, and 3.

LT RSEC-2740
Cisco Public
98
Task 4
Resiliency Tests: 1A, 1B, 2, and 3

ASA1
UP
G0/0
Down
or
ASA2
UP
G0/0
ASA1
ASA1
Down
UP
G0/1
or
ASA2
UP
Down
G0/1
Down
CCL


Po4
Inside
Host
Outside
Host
CSR1
CSR2
Po4
G0/3
ASA1
UP
Test 2: Simulate
ASA crash w ith
CCL
ASA2

LT RSEC-2740
Cisco Public
99
Down
or
ASA2
UP

G0/3
Down
Test 1A
Protocol
Task 1A
Lost
Pkts/Secs
Remove one of two data ports in ASA Port-Channel

Open IE/Firefox
inside RDP
ping
UDP iPerf
ssh
Disable ASA
G0/0 port
LT RSEC-2740
Task 4
Cisco Public
100
Test 1B
Protocol
Task 1B
Lost
Pkts/Secs
Remove the 2 nd data port in ASA Port-Channel
Task 4
Observe and record how many packets were lost

and how quickly on SSH session recovered
Open IE/Firefox
inside RDP
ping
UDP iPerf
ssh
Disable ASA
G0/1 port
LT RSEC-2740
Cisco Public
101
Recover ASA unit

Open IE/Firefox
inside RDP
no shut both ASA data ports on down ASA
Task 4
Re-enable cluster CLI to allow ASA to re-join
Up the ASA
G0/1 port
Up the ASA
G0/0 port
Down ASA
changeto system
config terminal

cluster group fw
enable
!Wait for ASA2 to detect master, finish sync, and become
a Slave unit
LT RSEC-2740
Cisco Public
102
Crash connection owner ASA
Test 2
Protocol
Task 4
Removing owner ASA from cluster
Task 2
Lost
Pkts/Secs
Owner ASA
ping

write memory all
UDP iPerf
ssh
cluster group fw
enable
a Slave unit
Crash owner
ASA w/ CLI
LT RSEC-2740
Cisco Public
103
Test 3
Protocol
Take out owner ASA unit from the cluster
Task 4
Task 3
Lost
Pkts/Secs
Owner ASA
ping
!You can do test 3 in two ways

!In the CLI, you can simply disable clustering
UDP iPerf
cluster group fw
ssh
no enable
!Or you can down the CCL for owner ASA via web page
!As shown below in the home web page
Down CCL on
owner ASA
LT RSEC-2740
Cisco Public
104
Recover down ASA
No Shut ASA CCL on Switch with IE
Task 4
Enable cluster on ASA cli, to rejoin master
Down ASA
Bring UP CCL on
owner ASA
!Enable cluster on disabled Slave
!ClusterDisabled/a/asa1/admin(config)#
changeto context sys
!ClusterDisabled/a/asa1(config)#
cluster group fw
Enable
(snip)
End configuration replication from Master.

Cluster unit asa1 transitioned from DISABLED to SLAVE
Watch CSR consoles for

route convergence logs
LT RSEC-2740
Cisco Public
105
Task 4*
CCL
IP 1.1.1.1
IP 1.1.2.1
(optional)
Interna
l
Preview
External
ASA1
CSR1
One path
This is a bonus task that involves adding back

PAT configuration to ASA master.
One Hop
Aw ay
CSR2
ASA2

interface of ASA L2 cluster with OSPF.
Tests
Add equal cost routes for new PAT network

on CSR2.
Disable ASA that owns connections
Verify route on CSR2 for PAT pool network
Verify xlates for open connections
LT RSEC-2740
Cisco Public
106
CLI
Add address translation cli
Due to PAT for inside subnet,

inbound conns now need static
NAT. You can test with ssh from
inside to outside linux.
Task 4*
Open connection inside to outside
ASA1
CSR2 needs a static route

to ASA cluster PAT subnet to
redistribute into OSPF
CSR2
! If you skipped Task 3*, you will need pat -ips object
ip route 1.1.3.0 255.255.255.0 1.1.2.1
sh ip route
range 1.1.3.2 1.1.3.3
(snip)
subnet 10.10.140.0 255.255.255.0
1.1.3.0/24 [1/0] via 1.1.2.1
InsideHost

! Enable logging on master (this enables it on the slave too)
logging on
user@inside-lnx:~$ ssh -l user 172.16.2.44
! Re-open your SSH connection to expose the translation info
! Notice NAT syslog now denying connection outside to inside
user@inside-lnx:~$
! Therefore, we need to SSH from inside to outside host
NOTE: because we are

translating inside subnet,
we need to test ssh from
inside to outside
%ASA-7-609001: Built local -host outside:172.16.2.44

%ASA-7-609001: Built local -host inside:10.10.140.30
%ASA-5-305013: Asymmetric NAT rules matched for forward and
reverse flows; Connection for tcp src outside:172.16.2.44/34770
dst inside:10.10.140.30/22 denied due to NAT reverse path
failure
LT RSEC-2740
Cisco Public
107
Task 4*

Outside-host
(IP 172.16.2.44)
./server.iperf
Inside-host
(IP 10.10.140.30)
./client.iperf
Outside-host
(IP 172.16.2.44)
without a static NAT
Inside-host
(IP 10.10.140.30)
ping 172.16.2.44
Ssh user@172.16.2.44

LT RSEC-2740
Cisco Public
108
Verify xlate(s) through cluster and OSPF route on CSR1
Verify
ASA1
CSR1
!CSR1#
sh ip route
cluster exec show xlate

asa1(LOCAL):**********************************************************
TCP PAT from inside:10.10.140.30/50511 to outside:1.1.3.3/50511 flags ri

idle 0:00:27 timeout 0:00: 30
O*E2
asa2:*****************************************************************
C
L
O
O E2
TCP PAT from inside:10.10.140.30/50511 to outside:1.1.3.3/50511 flags ri

idle 0:25:46 timeout 0:00:30
master/a/asa1/admin(config)# cluster exec show conn
asa1(LOCAL):**********************************************************
C
L

bytes 0, flags y
O
O
CSR1#
10.10.140.30:50511, idle 0:07:45,
asa2:*****************************************************************
bytes 4102, flags UxIO
10.10.140.30:50511, idle 0:07:45,
LT RSEC-2740
Task 4*
Cisco Public
109

Remove PAT
Remove PAT and route configs for now
Later in spanned, you will add PAT config
ASA
Master
CSR2
config terminal
config terminal
no ip route 1.1.3.0 255.255.255.0 1.1.2.1

no nat (inside,outside) dynamic pat -pool pat-ips
write memory
LT RSEC-2740
Task 4*
Cisco Public
110
Task 5
CCL
Task 5: L2 Cluster in Transp

IP 1.1.1.200/16
IP 1.1.2.200/16
Interna
l
Preview
External
ASA1
CSR1
One Subnet
Change to Transparent mode in admin

context, this clear ASA configuration
Directly
Connected
CSR2
ASA2
Rebuild context configuration by applying

Task 5 CLI to ASAs and CSRs.
Tests
Change CSR IP addresses to /16 subnet, to

allow peering OSPF through ASA
Down ASA that owns most connections
Change OSPF configs on CSRs
Verify OSPF route on CSR1 to outside
Measure convergence
Verify OSPF route on CSR2 to inside
LT RSEC-2740
Cisco Public
111
ASA Spanned / Transparent Cluster Diagram
CSRs directly connected

over 1.1.0.0/16 subnet
through L2 firewall
Master
1.1.0.0/16
1.1.0.0/16
Master
Inside
VLAN 7
G0/0
VLAN 15
Inside
host
VLAN 4
gig1
.1.200
.1
172.16.2.0/24
0/3
.1
gig1
gig2
.30
Outside
VLAN 8
G0/1
ASA1
10.10.140.0/24
gig2
.2.200
.200
Po4.8
BVI1
Po4.7
BVI1
CSR1
0/3
.2
mgmt_pool
G0/0
G0/1
ASA2
Slave
2.2.2.0/24
CCL
VLAN 25
LT RSEC-2740
Cisco Public
112
.44
Outside
host
Internal
172.16.1.2-172.16.1.10
Task 5
CSR2
Inside and Outside interfaces

Bridged by ASA cluster
External
Change context to Transparent FW mode
CLI
Task 5
Verify mac-addresses of CSRs

ASA1
ASA1
!Install a transparent firewall context config for current admin context
!master/a/asa1/admin(config -if)#
config terminal
sh mac-address-table
changeto system
interface
bridge-group
context admin
.
Cryptochecksum (unchanged): dcf70f21 bc4b86f6 c570e03f 2093dcd6
INFO: Context admin was created with URL disk0:/task5-admin.cfg
INFO: Admin context will take some time to come up .... please wait.
type
Age(min)
Cisco Public
inside
0050.56bf.34b8
dynamic
inside
0016.9cd3.b780
dynamic
outside
0050.56bf.dbc2
dynamic
master/a/asa1/admin(config -if)#
master/a/asa1(config -ctx)#
address
----------------------------------------------------------------------------------
config-url disk0:/task5-admin.cfg
LT RSEC-2740
mac
113
Change CSRs to directly connected routers
CLI
CSR1
CSR2
!Change CSR subnet to /16 so they can peer through ASA cluster
!Change CSR subnet to /16 so they can peer through ASA cluster
config terminal
ip address 1.1.2.200 255.255.0.0
config terminal
ip address 1.1.1.200 255.255.0.0
router ospf 1
no network 1.1.2.0 0.0.0.255 area 0
network 1.1.0.0 0.0.255.255 area 0
router ospf 1
no network 1.1.1.0 0.0.0.255 area 0
network 1.1.0.0 0.0.255.255 area 0
! Verify routes on CSRs, once they can ping each other and peer directly
! Verify routes on CSRs, once they can ping each other and peer directly
show ip route ospf
show ip route ospf
O*E2
O
O
CSR1#
O*E2

LT RSEC-2740
Task 5
Cisco Public
O
O
CSR2#
114

Show OSPF connections through ASA cluster
Verify
ASA1
Master
asa1(LOCAL):**********************************************************
asa2:*****************************************************************
OSPF outside 224.0.0.5 inside 1.1.1.200, idle 0:00:00, bytes 181176, flags
OSPF outside 1.1.2.200 inside 224.0.0.5, idle 0:00:00, bytes 179984, flags
LT RSEC-2740
Cisco Public
115
Task 5
Task 5
Setup Test Connections Again

Inside-host
(IP 10.10.140.30)
Restart if needed
./client.iperf
Outside-host
(IP 172.16.2.44)
./server.iperf
Outside-host
(IP 172.16.2.44)
Restart ssh session
ssh -l user 10.10.140.30
Inside-host
(IP 10.10.140.30)
ping still working?
Ping 172.16.2.44

LT RSEC-2740
Cisco Public
116
Find Owner ASA
Shut down ASA data port on the Switch with IE
ASA1
asa1(LOCAL):**********************************************************
OSPF outside 224.0.0.5 inside
1.1.1.200, idle 0:00:00, bytes 363712, flags

TCP outside

UDP outside
10.10.140.30:2841, idle 0:00:00, bytes 160272, flags
172.16.2.44:55501 inside
10.10.140.30:22, idle 0:02:05, bytes 0, flags
10.10.140.30:2841, idle 0:00:00, bytes 159712, flags
224.0.0.5, idle 0:00:00, bytes 364400, flags
172.16.2.44:5001 inside
10.10.140.30:36188, idle 0:00:02, bytes 0, flags y
asa2:*****************************************************************
UDP outside
1.1.1.200, idle 0:00:10, bytes 264, flags
172.16.2.44:5001 inside
10.10.140.30:36188, idle 0:00:00, bytes 1440600, flags -
ICMP outside 172.16.2.44:0 NP Identity Ifc

OSPF outside 1.1.2.200 NP Identity Ifc
TCP outside
172.16.2.44:55501 inside
10.10.140.30:2841, idle 0:00:00, bytes 0, flags z
224.0.0.5, idle 0:00:00, bytes 0, flags z

ICMP inside 10.10.140.30:2841 NP Identity Ifc
OSPF inside 1.1.1.200 NP Identity Ifc
172.16.2.44:0, idle 0:00:00, bytes 0, flags z
224.0.0.5, idle 0:00:00, bytes 0, flags z
LT RSEC-2740
Task 5
Cisco Public
117
Task 5
Resiliency Tests: 1B, 2, and 3

ASA1
UP
G0/0
Down
or
ASA2
UP
G0/0
ASA1
ASA1
Down
UP
G0/1
or
ASA2
UP
Down
G0/1
Down
CCL


Po4
Inside
Host
Outside
Host
CSR1
CSR2
Po4
G0/3
ASA1
UP
Test 2: Simulate
ASA crash w ith
CCL
ASA2

LT RSEC-2740
Cisco Public
118
Down
or
ASA2
UP

G0/3
Down
Test 1B
Protocol
Task 1B
Lost
Pkts/Secs
Remove both data ports in ASA Port-Channel
Task 5

Open IE/Firefox
inside RDP
ping
UDP iPerf
ssh
Disable ASA
G0/0 port
LT RSEC-2740
Disable ASA
G0/1 port
Cisco Public
119
Recover ASA unit
no shut both ASA data ports on down ASA
Task 5
Re-enable cluster CLI to allow ASA to re-join

Up the ASA
G0/1 port
Up the ASA
G0/0 port
Down ASA
changeto system
config terminal

cluster group fw
enable

a Slave unit
LT RSEC-2740
Cisco Public
120
Crash connection owner ASA
Test 2
Protocol
Task 5
Task 2
Lost
Pkts/Secs
Owner ASA
ping

changeto system
UDP iPerf
write memory all
ssh

a Slave unit
Crash owner
ASA w/ CLI
LT RSEC-2740
Cisco Public
121
Test 3
Protocol
Take out owner ASA unit from the cluster
Task 5
Task 3
Lost
Pkts/Secs
Owner ASA
ping
!You can do test 3 in two ways

!In the CLI, you can simply disable clustering
UDP iPerf
changeto system
ssh
cluster group fw
no enable
!Or you can down the CCL for owner ASA via web page
!As shown below in the home web page
Down CCL on
owner ASA
LT RSEC-2740
Cisco Public
122
Recover down ASA
No Shut ASA CCL on Switch with IE
Task 5
Enable cluster on ASA cli, to rejoin master

Down ASA
Bring UP CCL on
owner ASA
!Enable cluster on disabled Slave

!ClusterDisabled/a/asa1/admin(config)#
changeto context system
!ClusterDisabled/a/asa1(config)#
cluster group fw
enable
(snip)
End configuration replication from Master.
Cluster unit asa1 transitioned from DISABLED to SLAVE
Watch CSR consoles for

route convergence logs
LT RSEC-2740
Cisco Public
123
Task 5*
CCL

(optional)
IP 1.1.1.200/16
IP 1.1.2.200/16
Interna
l
Preview
External
ASA1
CSR1
One Subnet
This is a bonus task to add PAT configuration

in transparent firewall mode on ASA master.
Directly
Connected
CSR2
ASA2

interface inside admin context.
Tests
Remove older route for PAT network on

CSR2, it is not needed as PAT and CSR
interfaces are now in same network

Verify xlates
LT RSEC-2740
Cisco Public
124
Introduce PAT
CLI
Task 5*
Remove route on CSR2

CSR2
ASA1
! If you skipped Task 3*, you will need pat -ips and inside-network objects
!CSR2#
show ip route
range 1.1.3.2 1.1.3.3

subnet 10.10.140.0 255.255.255.0
O*E2

C


! You may need to clear existing conns to create an xlate
clear local
CSR2#
LT RSEC-2740
Cisco Public
125
Task 5*

Outside-host
(IP 172.16.2.44)
./server.iperf
Inside-host
(IP 10.10.140.30)
./client.iperf
Outside-host
(IP 172.16.2.44)
without a static NAT, so
SSH from inside
to outside
Inside-host
(IP 10.10.140.30)
ping 172.16.2.44
ssh user@172.16.2.44

LT RSEC-2740
Cisco Public
126
Re-open test connections
Verify
Task 5*
Verify conn and xlates are created

ASA1
ASA1
cluster exec show xlate
asa1(LOCAL):**********************************************************
asa1(LOCAL):**********************************************************
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,

bytes 4166, flags UIO
10.10.140.30:50519, idle 0:00:06,
s - static, T - twice, N - net-to-net
asa2:*****************************************************************

asa2:*****************************************************************

flags
1.1.1.200, idle 0:00:00, bytes 158544,
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
1.1.1.200, idle 0:00:54, bytes 132, flags

flags
224.0.0.5, idle 0:00:00, bytes 159000,

s - static, T - twice, N - net-to-net

bytes 0, flags y
10.10.140.30:50519, idle 0:00:06,
LT RSEC-2740
Cisco Public
127
CONGRATULATIONS.
on completing the LTRSEC-2740 lab
128
Call to Action
Visit the World of Solutions for
Cisco Campus Visit Network and Content Security Booths
Technical Solution Clinics
Meet the Engineer ASA experts from our team will be available to meet you
Lunch time Table Topics
DevNet zone related labs and sessions
Recommended Reading: for reading material and further resources for this
session, please visit www.pearson-books.com/CLMilan2015
LT RSEC-2740
Cisco Public
129
Complete Your Online Session Evaluation

Please complete your online session
evaluations after each session.
Complete 4 session evaluations
& the Overall Conference Evaluation
(available from Thursday)
to receive your Cisco Live T-shirt.
All surveys can be completed via
the Cisco Live Mobile App or the
Communication Stations
LT RSEC-2740
Cisco Public
130
Additional Slides
ASA Cluster to Routers

Data Plane Individual Mode
Single Attach
IP 1.1.2.1
Interface Layer 3 mode

Dedicated IP/MAC addresses per ASA Interface
ECMP from both sides of ASA (outside and inside)
Improve convergence by tuning timers
Dual Attach
IP 1.1.1.1
vPC
IP 1.1.2.2
IP 1.1.2.1
Po 200
IP 1.1.2.2
IP 1.1.1.1
IP 1.1.1.2
IP 1.1.1.2
Po 201
IP 1.1.1.3
Po 202
Po 203
IP 1.1.2.4
Po 101
IP 1.1.2.3
IP 1.1.1.3
IP 1.1.2.3
Po 102
IP 1.1.2.4
IP 1.1.1.4
Po 103
IP 1.1.1.4
Outside
Outside
Inside
CCL
LT RSEC-2740
Po 100
Inside
CCL
Cisco Public
132
vPC
ASA Cluster to Switch

Data Plane Spanned Mode
Interface Layer 2 mode

One IP per Ether-channel interface shared by the cluster
A port ID on each ASA joins the a spanned port-channel
vPC extends the channel across two switches
Data Plane MUST use cLACP
cLACP
ASA Po 10
cLACP
ASA Po 10
LACP
vPC 100
Po 100
Classic Switch
N7K/vPC
Cat/VSS
CCL
LT RSEC-2740
CCL
Cisco Public
133
134

Instructions Cisco

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Instructions Cisco

Uploaded by

Copyright:

Available Formats

ASA Clustering Deployment and

Goran Saradzic and Per Hagen

ASA Clustering Lab (3.5hrs)

Lab POD Access

Tasks divide into Router and Switch-based mechanisms

ASA clustering options

Equal Cost Multipath (ECMP)

ASA Designs in Lab

Review, deploy, verify

Stand-alone ASAs via OSPF

2015 Cisco and/or its affiliates. All rights reserved.

L2 /Spanned Mode Cluster in Routed (OSPF to Master )

Achieving the Best Uptime for Your Applications

2015 Cisco and/or its affiliates. All rights reserved.

Realizing True Values of ASA Firewall Clustering

2015 Cisco and/or its affiliates. All rights reserved.

Firew all Modes and Features

2015 Cisco and/or its affiliates. All rights reserved.

Using Class Name,

2015 Cisco and/or its affiliates. All rights reserved.

2015 Cisco and/or its affiliates. All rights reserved.

Access your POD

2015 Cisco and/or its affiliates. All rights reserved.

Lab Portal Diagram

ASA, Host, and CSR

If needed, you can

2015 Cisco and/or its affiliates. All rights reserved.

Lab Access Credentials

2015 Cisco and/or its affiliates. All rights reserved.

Login to All Devices via SuperPutty Shortcut

Inside Jumpbox, doubleclick on SuperPutty and

2015 Cisco and/or its affiliates. All rights reserved.

If any session times out,

Auto-arranged & Auto-login terminals in SuperPutty

2015 Cisco and/or its affiliates. All rights reserved.

Before You Start, Reset Your Switch

Open browser on jumpbox PC to Home Page preset to:

On this home page are links to bring down/up ASA ports

2015 Cisco and/or its affiliates. All rights reserved.

One IP Path over Ether-Channel Port Bundle

2015 Cisco and/or its affiliates. All rights reserved.

Task Workflow Example

Preview section shows an overview of

Deploy CLI to change into new design

Tests section gives order of setup

Review ASA and CSR configurations

Open ping/ssh/UDP connections

Verify new topology with show outputs

Find which ASA owns connection

Proceed to test the new design

Down a path that owns test connections

Check for connection state recovery

2015 Cisco and/or its affiliates. All rights reserved.

Asymmetric Traffic Flow without state sharing

iPerf UDP connections

2015 Cisco and/or its affiliates. All rights reserved.

Ping and SSH will fail

ASA Clustering Modes

Spanned Etherchannel Mode

Each ASA has unique IP address

Cluster Control Link

Cluster Control Link

2015 Cisco and/or its affiliates. All rights reserved.