The ASA automatically tries to rejoin the cluster, depending on the failure event.Įvery connection has one owner and at least one backup owner in the cluster. If the primary unit fails, then another member of the cluster with the highest priority becomes the primary. When a unit in the cluster fails, the connections hosted by that unit are seamlessly transferred to other units state information for traffic flows is shared over the control cluster link. If the unit health check fails, the unit is removed from the cluster. Each secondary unit monitors the primary unit using the same mechanism. The primary unit monitors every secondary unit by sending keepalive messages over the cluster control link periodically. The cluster control link must be reliable, with no out-of-order or dropped packets. To check latency a ping on the cluster control link between units can be used. This maximum latency enhances compatibility with cluster members installed at different geographical sites. To ensure cluster control link functionality, the round-trip time (RTT) between units needs to be less than 20 ms. Note that this EtherChannel is device-local, not a Spanned EtherChannel. The switch interfaces are members of the same EtherChannel port-channel interface, because the separate switches act like a single switch. When the switch is part of a VSS or vPC, then you can connect ASA interfaces within the same EtherChannel to separate switches in the VSS or vPC.
All links in the EtherChannel are active.
Figure 2 shows how to use an EtherChannel as a cluster control link in a Virtual Switching System (VSS) or Virtual Port Channel (vPC) environment. A higher-bandwidth cluster control link helps the cluster to converge faster when there are membership changes and prevents throughput bottlenecks.Ĭisco recommends using an EtherChannel for the cluster control link, so that traffic can pass on multiple links in the EtherChannel while still achieving redundancy. If possible, the cluster control link should be sized to match the expected throughput of each chassis so the cluster-control link can handle the worst-case scenarios. Cluster control link traffic includes both control and data traffic: Primary election, Configuration replication, Health monitoring, State replication and Connection ownership queries and data packet forwarding. A Spanned EtherChannel can be configured in both routed and transparent firewall modes.Įach unit must dedicate at least one hardware interface as the cluster control link. The EtherChannel aggregates the traffic across all the available active interfaces in the channel. One or more interfaces per chassis are grouped into an EtherChannel that spans all chassis in the cluster. All units in the cluster share a single configuration and changes can only be made on the primary unit, then they are automatically synced to all other units in the cluster. There is a primary unit (determined by the priority set between 1 and 100, where 1 is the highest priority) and one or multiple secondary units. Individual interfaces rely on routing protocols to load-balance traffic, and routing protocols often have slow convergence during a link failure.
The EtherChannel method of load-balancing is recommended over other methods for the following benefits:
When units are combined into a cluster, performance is approximately: 70% of the combined throughput, 60% of maximum connections and 50% of connections per second. Spanned EtherChannel is the Cisco recommended implementation in which interfaces on multiple members of the cluster are grouped into a single EtherChannel the EtherChannel performs load balancing between units. ASA clustering consists of multiple ASAs acting as a single unit, see Figure 1.