ASA Cluster - Cisco Support Community [PDF]

Cisco Support Community

Expert Series Webcast Conheça mais sobre ASA Cluster Henrique Reis Cisco Advanced Services Apr 20, 2016

Expert Series Webcast ao vivo Conheça mais sobre ASA Cluster Henrique Reis colabora na Cisco como consultor de redes no time de Advanced Services na prática de Segurança para a América Latina. Anteriormente, Henrique trabalhou como engenheiro de suporte (HTE - High Engenheiro Touch) para os clientes do setor Financeiro como bancos (Itaú) e bolsa de valores (BVMF) também já foi instrutor Cisco para Cisco Academy para CCNA e CCNP. Conta com as certificacoes da Cisco: Cisco Certified Internetwork Expert (CCIE R & S) # 22233 CCIE Segurança – Escrito, Formação SourceFire, CCNP Routing e Switching, CCNA Routing e Switching, Cisco Certified Associate projeto (CCDA), Cisco Certified Internetwork Expert (CCIE Segurança) em andamento, CCAI (Cisco Certified Academy Instructor) entre outras.

Henrique Reis

Obrigado por estar com a gente hoje! Durante a apresentação, serão feitas algumas perguntas para o público. Dê suas respostas, participe!

Obrigado por estar com a gente hoje!

Se você deseja uma cópia dos slides da apresentação, vá ao link: https://supportforums.cisco.com/pt/document/12731976

Envie a sua pergunta agora! Use o painel de perguntas e respostas (P&R) para enviar suas perguntas, os especialistas irão responder em tempo real.

Polling Question 1

Qual a versão inicial para suporte ao ASA Cluster? a) 8.0 b) 5.0

c)

7.0

d) 9.0

Conheça mais sobre ASA Cluster Cisco Support Community Expert Series Webcast Henrique Reis Cisco Advanced Service Apr 20, 2016

Agenda • Clustering – Introdução • Clustering - Operação • Clustering – Modos de Operação • Tipos de fluxos • Exemplos de Conexões

• Clustering – ASA Funções • Configurando Clustering via CLI • Configurando Clustering via ASDM • Troubleshooting/Debugging • Q/A

Introdução • Clustering refere-se a uma forma de conectar múltiplos Firewalls ASA para formar um único

firewall lógico, de tal modo que seja transparente para os usuários e oferece uma maior escalabilidade.

Introdução (continuação) • Os novos Data center requerem soluções de Firewalls, de segurança com capacidade maior

que 40Gbps de throughput. • A solução de Clustering pode escalar até 640 Gbps de trafego agregado • O cluster pode conter até 16 unidades de ASA • Uma unidade é designada como master (mestre) e as demais são denominadas como slave

(escravas) • Todas os Firewalls ASA tem um interface (conexão) dedicada entre eles conhecida como

Cluster Control Link (CCL) • Mensagens de Keepalive/CP/DP são enviadas sobre este link

Introdução (continuação) • Fator de Escala • Quando se combina varios ASAs dentro de um cluster temos um ganho de performance aproximado de: • 70% do throughput combinado • 60% do maximo de conexões • 50% do número de conexões por segundo

• Por exemplo, o throughput do modelo ASA 5585-X com SSP-40 chega até 10 Gbps quando

rodando em stand alone. Mas com o cluster de 8 ASAs, o throughput combinado chega até 70% de 80 Gbps (8 ASAs x 10 Gbps): 56 Gbps.

Introdução (continuação) • Clustering é suportado nos seguintes modelos: 5512-X, 5515-X, 5525-X, 5545-X, 5555-X,

5585-X e 5580 • A versão mínima para funcionamento do Cluster é a 9.0 • As unidades do Cluster não necessitam da mesma licença. Geralmente se compra a licença

somente para o Master e as demais unidades compartilham essa licença. Se existirem licenças diversificadas nas unidades do Cluster elas são combinadas respeitando o limite da plataforma ou seja a capacidade de Hardware. • Nota: Mas cada unidade deve ter licença de Cluster individual, a mesma licença de encriptação e a licença de 10 GE I/O • Todas as unidades do cluster devem ter o mesmo hardware • Um protocolo proprietário é usada para controle e balanceamento dentro do Cluster

Requisitos para funcionamento do Cluster Para ativação de um cluster ASA, são necessários os seguintes requisitos: • Conectividade de fibra usada para o CCL – Cluster Control Link; • Latência do link CCL menor que 10ms (RTT); • Links sem qualquer tipo de degradação, tais como: perda de pacotes, pacotes fora de ordem

ou atrasos devido a congestionamento; • CCL deve ser dimensionado para levar em conta a assimetria de tráfego. A assimetria deve

ser minimizada pelos dispositivos externos ao ASA; • Mesmo Hardware de Firewalls para os membros do Cluster; • Aumento do MTU no link CCL de 1500 para 1600; • Spanning-tree Portfast nas portas dos Switches para o CCL.

Operação • Cluster ASA não faz balanceamento de carga e fluxos. • Assume-se que os mecanismos externos estão no local para garantir que os pacotes e fluxos de

tráfego sejam balanceados para cada membro do cluster.

Operação (Continuação) • Clustering é diferente do modelo Ativo-Ativo tradicional. • Todas as unidades do cluster tem a mesma configuração • Podem passar ativamente tráfego. No caso de uma falha, a conectividade é mantida através dos

clusters graças ao compartilhamento da tabela de estados das conexões para pelo menos outra unidade backup no cluster. • Cada fluxo tem sua replicação para uma unidade diferente dentro do cluster, para casos de

falhas.

Operação (Continuação)

ASA Clustering – Funções • Master e Slaves • O Master é determinado por: • 1. Primeiro ASA adicionado no cluster • 2. Maior prioridade configurada (entre 1 e 100). 1 é a maior. • 3. Hostname e por ultimo S/N • Nota: Se um ASA faz o join (entra) no cluster depois que um master já foi escolhido mesmo com maior prioridade, não há uma nova eleição. • Não tem preemption • O Master administra todas as funções centralizadas e a parte de gerência.

ASA Clustering – Tipos de Interfaces • CDL (Spanned Etherchannel) • CCL (Local Etherchannel) • CDL – Trafego de data plane • CCL inclui o trafego de dados e controle • Tráfego de Controle: • Eleição do Master • Replicação da Configuração • Monitoração de status

• Tráfego de Dados: • Replicação da tabela de status • Encaminhamento de trafego entre as unidades

ASA Clustering – State Transition Boot

Look for Master on Cluster Control Link

Election

Wait 45 seconds before assuming Master role

Master already exists

Ready to

Slave Config pass traffic and Bulk Sync

Master admits 1 unit at a time

On-Call Master ASA/master# show cluster history ========================================================================== From State To State Reason ========================================================================== 15:36:33 UTC Nov 3 2014 DISABLED DISABLED Disabled at startup 15:37:10 UTC Nov 3 2014 DISABLED ELECTION Enabled from CLI 15:37:55 UTC Nov 3 2014 ELECTION MASTER Enabled from CLI ==========================================================================

Slave

Sync or health failure Health failure

Disabled

ASA/master# show cluster info Cluster sjfw: On Interface mode: spanned This is "A" in state MASTER ID : 0 Version : 9.2(1) Serial No.: ART1434AERL CCL IP : 1.1.1.1 CCL MAC : 5475.d029.8856 Last join : 15:37:55 UTC Nov 3 2014 Last leave: N/A

Transparent vs Routed Mode SVI 1002 HSRP VIP

SVI 1002 HSRP VIP

outside interface VLAN 1002

ASA CLUSTER mode

VLAN Translation inside interface VLAN 1001 VLAN 1001

ASA CLUSTER mode

outside interface VLAN 1002 IP2

L3 sub-interface using VLAN tag-id 1002

inside interface VLAN 1001 IP1

L3 sub-interface using VLAN tag-id 1001

VLAN 1001

Modos de Operação - Interfaces • As interfaces no cluster podem ser configuradas • Layer-2 mode • Layer-3 mode

• Layer-2 mode: • As interfaces do ASA são agrupadas em um EtherChannel • EtherChannel – Agregação das interfaces físicas para formar um Port-channel logico usando Link Aggregation Control Protocol (LACP) • Um switch pode usar EtherChannel para balancear o tráfego entre os ASAs onde todas as unidades compartilham um endereço virtual IP e MAC, logicamente se tornando um gateway único

• Layer-3 mode: • Cada Interface possui o seu próprio endereço IP e seu endereço MAC • Um roteador pode usar PBR (Policy Based Routing) ou ECMP (Equal Cost MultiPath routing) para balancear o tráfego entre os ASAs.

ASA Cluster em modo Spanned • No cluster ASA operando em “spanned” as interfaces são agrupadas em um Etherchannel

usando o protocolo LACP. • As mesmas interfaces operando dentro desse Etherchannel compartilham um endereço IP e

um endereço MAC virtual definido para todo o cluster, funcionando como uma única interface lógica. • O dispositivo de camada 3 conectado utiliza um mecanismo ECLB (Balanceamento de carga

de mesmo custo) para balancear a carga de fluxos de cada ASA. • Cada interface também tem seu próprio endereço MAC privado, que é usado pelo LACP caso

auto negociação esteja habilitado. • Para outras requisições como por exemplo, ARP, cada unidade do cluster usa o MAC virtual.

ASA Cluster em modo Spanned

ASA Cluster em modo Individual • No cluster ASA operando em modo “individual”, as interfaces de cada ASA terão seu próprio

endereço IP e endereço MAC. • O roteador upstream usa PBR ou ECMP para balancear a carga de fluxos para unidades

individuais no cluster. • Protocolos de roteamento dinâmico podem ser utilizados. • No modo de interface “individual”, cada unidade do cluster calcula e excuta o protocolo de

roteamento individualmente e as rotas da tabela de roteamento são aprendidas por cada unidade de forma independente.

ASA Cluster em modo Individual

ASA Cluster em modo Spanned Transparent • Com o firewall trabalhando em modo transparente, o mesmo não participa do roteamento e atua

somente como um switch camada 2. • Usando um bridge-group que interliga interfaces de entrada e saída. • No modo transparente o ASA recebe o trafego com ID de uma VLAN de entrada e reescreve

esse ID com uma VLAN de saída. • Com o ASA operando em transparente a única opção de cluster suportada ate o momento da

escrita desse documento é o Spanned.

Quais os dois modos de operação do ASA Cluster? (escolha duas opções)

Polling Question 2

a) Spanned b) Active c)

Standby

d) Individual e) Stand-alone

Conexões - Fluxos • O estado (IP dest, IP origem, portas, protocolo) de cada conexão é mantido pelo ‘owner’ da

conexão • Se um pacote de uma conexão ja estabelecida chega em um membro do Cluster que não seja

o owner, ela é encaminhada pelo Cluster Control Link (CCL) • O primeiro membro do cluster que recebe uma conexão TCP/UDP (non-inspection) é

designado como owner • A tabela de estado é mantida (backup) num outro ASA conhecido como ‘director’ • Director (único) selecionado por um hash para cada conexão • Qualquer membro pode consultar o Director para descobrir o owner da conexão.

Outside Network

Inside Network

Owner

Server

Client Director

ASA Cluster • Connection setup overhead when traffic is symmetric State replication from Owner to Director, also serves as failover message to provide redundancy should owner fail.

• Director is selected per connection using consistent hashing algorithm. 29

Outside Network

1: State upda te

Inside Network

SYN

Owner SYN

Server

Client Director

ASA Cluster • Connection setup overhead when traffic is symmetric State replication from Owner to Director, also serves as failover message to provide redundancy should owner fail.

• Director is selected per connection using consistent hashing algorithm. 30

SYN/ACK

Outside Network

SYN/ACK 1: State upda te

Inside Network

SYN

Owner SYN

Server

Client Director

ASA Cluster • Connection setup overhead when traffic is symmetric

State replication from Owner to Director, also serves as failover message to provide redundancy should owner fail. • Director is selected per connection using consistent hashing algorithm.

31

Owner

Outside Network

1: State upda te

Inside Network

SYN

SYN

Server

Director Client

Forwarder

ASA Cluster •

Director is selected per connection using consistent hashing algorithm

•

Director also server as backup should owner fail

•

Optimization exist in implementation to eliminate step 2 and 3 when appropriate

32

Owner

Outside Network

1: State upda te

Inside Network

SYN

SYN

Server

Director Client SYN/ACK

Forwarder

ASA Cluster •

Director is selected per connection using consistent hashing algorithm

•

Director also server as backup should owner fail

•

Optimization exist in implementation to eliminate step 2 and 3 when appropriate

33

Owner

Outside Network

1: State upda te

Inside Network

SYN

SYN

Server

Director 2: Owne r Query

3:Ow ner locati on

Client

SYN/ACK

Forwarder

ASA Cluster •

Director is selected per connection using consistent hashing algorithm

•

Director also server as backup should owner fail

•

Optimization exist in implementation to eliminate step 2 and 3 when appropriate

34

Owner

2: Owne r Query

3:Ow ner locati on

Client

Outside Network

Director

After step 4, All remaining packets are forwarded directly to owner

SYN/ACK

1: State upda te

Inside Network

SYN

SYN

Server

SYN/ACK

Forwarder

ASA Cluster •

Director is selected per connection using consistent hashing algorithm

•

Director also server as backup should owner fail

•

Optimization exist in implementation to eliminate step 2 and 3 when appropriate

35

Outside Network

Inside Network

Owner Packet N Packet M

Packet N+1

Node X Packet M+1

Director

Server

Client Node Y

ASA Cluster 36

Outside Network

Inside Network

Owner

Node X

Director Server Client Node Y

ASA Cluster 37

Outside Network

Inside Network

Owner

Packet N+1

Node X Packet M+1

Director

Server

Client Node Y

Packet M+1

ASA Cluster 38

Outside Network

Inside Network

Owner

Packet N+1 1: Owne r Query

Node X

Client

2: Owne r Query

Director

Node Y

Server

Packet M+1

ASA Cluster 39

Node X

3: You are owner now

1: Owne r Query

4: Owner is Node X

Packet M+1

Node Y

Server 2: Owne r Query

Director

Outside Network

Inside Network

Client

Owner

Packet N+1

ASA Cluster

40

Packet N+1 Packet N+1

Node X

3: You are owner now

1: Owne r Query

4: Owner is Node X

Packet M+1

Node Y

Server 2: Owne r Query

Director

Outside Network

Inside Network

Client

Owner

ASA Cluster

41

Node X

Packet N+1 Packet N+1

Packet M+1

4: Owner is Node X

Packet M+1

Node Y

Server 2: Owne r Query

Director

3: You are owner now

1: Owne r Query

Packet M+1

Outside Network

Inside Network

Client

Owner

ASA Cluster

42

UDP connection build-up ASA Cluster

inside 1. Attempt new UDP or another pseudostateful connection

Client

outside

Flow Owner

2. Query Director

3. Not found

10. Deliver response to Client 8. Return Owner

5. Update Director

Flow Director

Flow Forwarder

7. Query Director

4. Become Owner, deliver to Server 9. Redirect to Owner, become Forwarder

6. Respond through another unit

Server

Dimensionamento CCL • É recomendável que a banda do CCL seja pelo menos 50% da banda utilizada pelo tráfego de

dados. • Ex. Se o cliente usa 20G de tráfego para dados, então o CCL deveria ter pelo menos 10GB de

banda. • Motivo: O algoritmo de balanceamento utilizado pelo Switches pode tornar as conexões

assimétricas. Como tal, é possível que o tráfego atinja um membro diferente do owner da conexão. Assim o CCL vai corrigir isso enviando a conexão para o owner. • Esse encaminhamento é feito pelo CCL.

Dimensionamento funções ASA • As funções que são suportadas no ASA são divididas em centralizadas ou distribuídas • Todos os pacotes para funções centralizadas são processadas pelo Master • Funções Centralizadas: • • • • • • • •

Filtering Services Inspect (DCERPC, ESMTP, IGMP, NetBios, PPTP, Radius, RSH, SNMP, SUNRPC, TFTP, XDMCP) IGMP PIM L2 Dynamic Routing L3 Multicast Data Traffic VPN: L3/IKEv1 and L3/IKEv2 VPN management access

• * Currently we do not support all inspection protocols

Dimensionamento funções ASA (cont.) • Funções Distribuídas: • DNS • NAT • TCP intercept, others…..

Funções não suportadas • As seguintes funções não são suportadas quando operando em Clustering e não podem ser

configuradas: Auto Update Server

Failover

Inspect CTIQBE

Inspect WCCP

Inspect SIP

Inspect RTSP

Inspect WAAS

Inspect MGCP

Inspect MMP

Inspect Skinny

Inspect H323, H325

Inspect RAS

Inspect GTP

UC/IME/Phone Proxy

TLS Proxy

BTF

DHCP client, server, relay

NAC

VPN Remote Access

VPN Load Balancing

New Centralized Connection ASA Cluster

inside 1. Attempt new connection

Client

Forwarder

4. Update Director

outside 2. Recognize centralized feature, redirect to Master, become Forwarder

Server

Flow Director

Master

3. Become Owner, deliver to Server

SYN packet from client sent to non-master unit (redirecter) The redirecter forwards packet to master unit (forwarding flow) Master unit creates flow and forwards packet to server Master unit sends state update to Director unit On reverse path, if the packet hits a non-master unit, a query is sent to the director and a forwarding flow to the master unit is created thereafter.

Funções Adicionais • NAT • NAT estático e PAT funcionam sem nenhuma mudança • NAT estáticos são criados através de configuração e mantidos pelo Master. São criadas usando o comando static dentro da configuração de um objeto. • NAT dinâmico é criado e mantido pelo Master e replicado para os outros membros do cluster. • Quando uma nova conexão é recebida por um membro do cluster que necessita de NAT essa unidade faz a requisição para o Master.

Funções Adicionais - NAT • Considerações Especiais sobre NAT • Quando cluster em Indivual mode, Proxy-ARP reply nunca é enviado. • Isso não ocorre quando cluster em Spanned pois só temos um endereço IP • PAT interface não pode ser usado quando o cluster operando em modo Individual

Funções Adicionais – Health Check • Cluster Health-Check possui duas partes 1. Unit health-check • Confia em troca de mensagens keepalive entre as unidades para monitorar o status dos membros ativos no cluster • O valor de Hold-time determina o intervalo de tempo que o membro do cluster é considerado como tendo deixado o cluster

2.

Interface health-check

• Verifica a mudança de status do link das interface para monitorar se as interface estão ativas pu não em um membro do cluster.

Funções Adicionais – Interface Health Check • Interface health-check verifica o status das interfaces usados para dados, exemplo, interfaces

físicas, Port-channels, ou sub-interfaces. • Quando a interface de um membro vai para Down, ele verifica com os demais membros do

cluster se a mesma interface esta UP. • Se ele detecta que a mesma interface esta UP, ele se remove do cluster. • Um membro que saiu do cluster pelo health-check de interface irá tentar fazer o re-join no

cluster depois de 5 minutos.

Funções Adicionais – Interface Health Check • Se a interface continuar em falha (Down) aquela unidade se remove novamente do cluster e

espera agora por 10 minutos antes de tentar um novo re-join no cluster. • Depois dos 10 minutos de a interface continuar em falha o ASA espera por 20 minutos antes

de tentar um novo re-join no cluster. • Se apos o período de 20 minutos o link continuar fora o cluster é desabilitado e somente pode

ser habilitado manualmente entrando na configuração de cluster.

Funções Adicionais (cont) • Roteamento Dinamico • No modo Spanned, roteamento é executado apenas no Master • O Master faz a replicação das rotas nas demais unidades do cluster • No modo Individual, cada membro do cluster roda o protocolo de roteamento em separado • Sincronização de Bases • Todas os membros do cluster executam sincronização das bases de dados quando: • •

owner/director é removido Um novo membro é adicionado no cluster

• ARP, informação de roteamento, configuração, etc. são sincronizados

Funções Adicionais (cont) • VPN • VPN Site-to-Site (L2L) é centralizado no Master • Se temos uma mudança de Master no cluster as sessões VPN vão precisar ser reestabelecidas • No modo Individual o IP que as sessões vão usar para fechar VPN é o IP definido como IP do Master dentro do pool de endereços IP que as outras unidades iram utilizar. • ip address 10.1.1.1 255.255.255.0 cluster-pool mgmt

Polling Question 3

Quantos membros pode ter a solução de ASA Cluster? a) 9 b) 8

c)

13

d) 16

Configuração - ASA Cluster em modo Spanned Transparent

•

vPC/vPC+

Configure ASA Firewall to operate in transparent mode:

ASA-1(config)# firewall transparent

•

Check License for cluster mode:

ASA-1# sh activation-key | grep Cluster Cluster : Disabled perpetual

•

Generate License key for cluster mode and activate it:

ASA-1(config)# activation-key aa34d768 c03b93fa 1dd3e97c c4d4c8d4 4e28eca7

•

Check license is correctly installed:

ASA-1# sh activation-key | grep Cluster Cluster : Enabled

perpetual

Cluster Control Link

Staging Phase – Per ASA FW

Use console port for this phase

Cluster Data Link

ASA Configuration

ASA Cluste r

• Configure cluster interface-mode with ‘spanned’ parameter: ASA-1(config)# cluster interface-mode spanned

• Configure Cluster Control Link (CCL) as port-channel: interface TenGigabitEthernet0/8 channel-group 40 mode active no nameif no security-level ! interface TenGigabitEthernet0/9 channel-group 40 mode active no nameif no security-level ! interface Port-channel40 • description Clustering Interface

Generate License key for cluster mode and activate it:

Cluster Control Link

vPC/vPC+

Cluster Data Link

Use console Configuration – Per ASA FW port for this phase

ASA Cluste r

cluster group ASA-CLUSTER key local-unit ASA-1 cluster-interface Port-channel40 ip 99.99.99.1 255.255.255.0 priority 1 console-replicate health-check holdtime 3 clacp system-mac auto system-priority 1 enable

device

IP address for CCL

ASA-1

99.99.99.1

ASA-2

99.99.99.2

• Note:

Allocate 1 unique IP for Po40 per ASA FW

Cluster Control Link

• Configure cluster group:

vPC/vPC+

Cluster Data Link

Use console Configuration – Per ASA FW port for this phase

ASA Cluste r

•

interface TenGigabitEthernet0/6 channel-group 32 mode active vss-id 1 no nameif Configure Cluster Data Link as port-channel: no security-level ! interface TenGigabitEthernet0/7 channel-group 32 mode active vss-id 2 no nameif no security-level ! interface Port-channel32 port-channel load-balance vlan-src-dst-ip-port port-channel span-cluster vss-load-balance no nameif no security-level !

Port connected to 7K1 Port connected to 7K2 Cluster Link Aggregation Control Protocol (cLACP) is designed to extend standard LACP to multiple devices so that it can support spancluster Etherchannels/port-channels in ASA clustering deployment

Cluster Control Link

vPC/vPC+

Cluster Data Link

Use console port for this Configuration – Centrally Managed phase Starting from this point, all ASA are now port of the cluster and configuration is centrally managed

ASA Cluste r

•

Configure inside and outside interfaces (port-channel sub-interfaces) with same bridge-group interface Port-channel32.1001 mac-address 0001.0001.0001 vlan 1001 nameif inside bridge-group 1 security-level 100 ! interface Port-channel32.1002 mac-address 0002.0002.0002 vlan 1002 nameif outside bridge-group 1 security-level 0 !

interface BVI1 ip address 10.101.10.200 255.255.255.0 •

Configure BVI interface for the above bridge-group:

Best practice: In cluster mode, it is strongly recommended to configure a virtual MAC on the span-cluster port-channel (or sub-interface) to make the port-channel MAC stable in cluster

Cluster Control Link

vPC/vPC+

Cluster Data Link

ASA Cluste r

•

Configure ip local pool for management ports:

ASA-1(config)# ip local pool mgmt 172.26.246.253-172.26.246.254 •

Configure management0/0 port:

interface Management0/0 Virtual IP Address management-only for the ASA cluster nameif management security-level 0 ip address 172.26.246.252 255.255.255.0 cluster-pool mgmt •

•

Define IP default GW for Management0/0 port: ASA-1(config)# route management 0.0.0.0 0.0.0.0 172.26.246.1 1 Allow SSH access for specific subnet of network:

ssh management ssh timeout 5

Each ASA in the cluster will be allocated with 1 address in the IP pool ‘mgmt’

Cluster Control Link

vPC/vPC+

Cluster Data Link

Management0/0 and SSH Access

Use console port for this phase

ASA Cluste r

Filtering Rule – Enable all Traffic • Apply the following filtering rules to enable all traffic on outside and inside

interfaces: access-list inbound extended permit ip any any access-list outbound extended permit ip any any access-group outbound in interface inside access-group inbound in interface outside

• Note: these filtering rules only apply for the purpose of this presentation. In

production environment, configure filtering rules as needed.

Configuração - ASA Cluster em modo Spanned Routed

•

vPC/vPC+

Configure ASA Firewall to operate in routed mode:

ASA-1(config)# no firewall transparent

•

Check License for cluster mode:

ASA-1# sh activation-key | grep Cluster Cluster : Disabled perpetual

•

Generate License key for cluster mode and activate it: ASA-1(config)# activation-key aa34d768 c03b93fa 1dd3e97c c4d4c8d4 4e28eca7

•

Check license is correctly installed: ASA-1# sh activation-key | grep Cluster Cluster : Enabled

perpetual

Cluster Control Link

Staging Phase – Per ASA FW

Use console port for this phase

Cluster Data Link

ASA Configuration

ASA Cluste r

•

Configure cluster interface-mode with ‘spanned’ parameter: ASA-1(config)# cluster interface-mode spanned

•

Configure Cluster Control Link (CCL) as port-channel:

interface TenGigabitEthernet0/8 channel-group 40 mode active no nameif no security-level ! interface TenGigabitEthernet0/9 channel-group 40 mode active no nameif • no Generate License key for cluster mode and activate it: security-level ! interface Port-channel40 description Clustering Interface

Cluster Control Link

vPC/vPC+

Cluster Data Link

Use console Configuration – Per ASA FW port for this phase

ASA Cluste r

Configure cluster group:

cluster group ASA-CLUSTER key local-unit ASA-1 cluster-interface Port-channel40 ip 99.99.99.1 255.255.255.0 priority 1 console-replicate health-check holdtime 3 clacp system-mac auto system-priority 1 • enable Note: Allocate 1 unique IP for Po40 per ASA FW device

IP address for CCL

ASA-1

99.99.99.1

ASA-2

99.99.99.2

‘Enable’ command at the end of cluster configuration will effectively start the cluster mode. Use enable / no enable to start / stop cluster mode

Cluster Control Link

•

vPC/vPC+

Cluster Data Link

Use console Configuration – Per ASA FW port for this phase

ASA Cluste r

vPC/vPC+

Starting from this point, all ASA are now port of the cluster and configuration is centrally managed. •

Configure Cluster Data Link as port-channel:

interface TenGigabitEthernet0/6 channel-group 32 mode active vss-id 1 no nameif no security-level ! interface TenGigabitEthernet0/7 channel-group 32 mode active vss-id 2 no nameif no security-level ! interface Port-channel32 port-channel load-balance vlan-src-dst-ip-port port-channel span-cluster vss-load-balance no nameif no security-level no ip address ! •

Port connected to 7K1 Port connected to 7K2 Cluster Link Aggregation Control Protocol (cLACP) is designed to extend standard LACP to multiple devices so that it can support spancluster Etherchannels/port-channels in ASA clustering deployment

Note: As configuration is centrally manage, the above commands will apply to all ASA in the cluster. That is why it is primordial to use the same port number for cluster data links.

Cluster Control Link

Use console Configuration – Centrally Managed port for this phase

Cluster Data Link

ASA Cluste r

•

Configure inside and outside interfaces (port-channel sub-interfaces) with associated IP addresses:

interface Port-channel32.1001 mac-address 0001.0001.0001 vlan 1001 nameif inside security-level 100 ip address 25.1.1.254 255.255.255.0 ! interface Port-channel32.1002 mac-address 0002.0002.0002 vlan 1002 nameif outside security-level 0 • ip Configure default10.101.10.10 static route pointing to HSRP VIP on Nexus 7000: address 255.255.255.0 ! •

Best practice: In cluster mode, it is strongly recommended to configure a virtual MAC on the span-cluster port-channel (or sub-interface) to make the port-channel MAC stable in cluster

servers located on VLAN 1001 will use this IP address (25.1.1.254) as default GW

Note: configuration on Nexus 7000:

route outside 0.0.0.0 0.0.0.0 10.101.10.254 1 interface Vlan1002 ip address 10.101.10.1/24 hsrp version 2 hsrp 1002 ip 10.101.10.254

This default static route is used for S -> N traffic (from ASA to Nexus 7000)

Cluster Control Link

vPC/vPC+

Cluster Data Link

ASA Cluste r

•

vPC/vPC+

Configure ip local pool for management ports:

ASA-1(config)# ip local pool mgmt 172.26.246.253-172.26.246.254 •

Configure management0/0 port:

interface Management0/0 Virtual IP Address management-only for the ASA cluster nameif management security-level 0 ip address 172.26.246.252 255.255.255.0 cluster-pool mgmt •

Each ASA in the cluster will be allocated with 1 address in the IP pool ‘mgmt’

Define static route with associated next-hop for Management0/0 port:

ASA-1(config)# route management 10.21.70.1 255.255.255.0 172.26.246.1 1 •

Allow SSH access for specific subnet of network:

ssh management ssh timeout 5

Cluster Control Link

Management0/0 and SSH access

Use console port for this phase

Cluster Data Link

ASA Configuration

ASA Cluste r

ASA Configuration

Filtering Rule – Enable all Traffic •

Apply the following filtering rules to enable all traffic on outside and inside interfaces:

access-list inbound extended permit ip any any access-list outbound extended permit ip any any access-group outbound in interface inside access-group inbound in interface outside •

Note: these filtering rules only apply for the purpose of this presentation. In production environment, configure filtering rules as needed.

Configuração - ASA Cluster em modo Individual

ASA Configuration

Use console Clustering Configuration – Per ASA FW port for this phase

•

Configure cluster interface-mode with ‘individual’ parameter:

ASA-1(config)# cluster interface-mode individual •

Configure Cluster Control Link (CCL) as port-channel:

interface TenGigabitEthernet0/8 channel-group 40 mode active no nameif no security-level ! interface TenGigabitEthernet0/9 channel-group 40 mode active no nameif • Generate License key for cluster mode and activate it: no security-level ! interface Port-channel40 description Clustering Interface

ASA Configuration

Use console Clustering Configuration – Per ASA FW port for this phase •

Configure cluster group:

cluster group ASA-CLUSTER key local-unit ASA-1 cluster-interface Port-channel40 ip 99.99.99.1 255.255.255.0 priority 1 console-replicate health-check holdtime 3 clacp system-mac auto system-priority 1 enable •

Note: Allocate 1 unique IP for Po40 per ASA FW device

IP address for CCL

ASA-1

99.99.99.1

ASA-2

99.99.99.2

ASA Configuration

Clustering Configuration – Centrally Managed Starting from this point, all ASA are now port of the cluster and configuration is centrally managed. •

Configure Cluster Data Link as port-channel:

ip local pool inside 10.10.10.6-10.10.10.9 ip local pool outside 209.165.201.2-209.165.201.5 ! interface TenGigabitEthernet0/6 nameif inside ip address 10.10.10.5 255.255.255.0 cluster-pool inside security-level 100 ! interface TenGigabitEthernet0/7 nameif outside ip address 209.165.201.1 255.255.255.224 cluster-pool outside security-level 0 ! interface Port-channel32 port-channel load-balance vlan-src-dst-ip-port port-channel span-cluster vss-load-balance no nameif no security-level no ip address !

Configure Cluster via ASDM (cont)

Configure Cluster via ASDM (cont)

Configure Cluster via ASDM (cont)

Configure Cluster via ASDM (cont)

Configure Cluster via ASDM (cont)

Configure Cluster via ASDM (cont)

Polling Question 4

Quando um ASA membro sai do Cluster por falha em alguma interface de dados, quais são os tempos de validação para este mesmo ASA tentar fazer o re-join no Cluster? a) 5, 10, 20 segundos

b) 3, 6, 12 minutos c)

5, 10, 20 minutos

d) 10, 20, 30 segundos

Monitoring and Troubleshooting commands • cluster exec allows to execute non-configuration commands on all members • show cluster interface-mode verifies current interface mode • show cluster history helps to understand state transitions and failure reasons • show cluster cpu helps to check CPU utilization across cluster • show cluster info shows the status

• show cluster info health helps to monitor aggregated unit health data • show cluster info trace shows cluster state machine debug data for Cisco TAC • show conn displays the number of active TCP and UDP connections

Connection Table and Roles • The connection table can display: • UIO – Owner flow • c – cluster centralized flow • Y – Director stub flow • y – Backup stub flow

• z – Forwarder stub flow

Troubleshooting/Debugging • Viewing connections in a cluster (TCP example)

• • • •

Deductions: ASA 3 is the owner of the connection (flags UIO) ASA 2 is the backup/director flow for this connection (flags Y) ASA 1 is receiving traffic for this flow on both inside and outside interfaces

Troubleshooting/Debugging (cont) • Viewing connections on individual ASAs:

ASA 1

ASA 2

ASA 3

Troubleshooting/Debugging (cont) • Check status of cluster members:

Troubleshooting/Debugging (cont) • Dynamic routing show commands • show route cluster

• Health-check show command

• Execute cluster –wide command • Eg. cluster exec show cpu (shows cpu usage on all units) • Eg. cluster exec unit A show cpu (shows cpu usage on unit A in cluster)

• Change prompt to reflect Cluster state • Use 'state' option

Troubleshooting/Debugging (cont) • Show activation-key is modified to include combined license information

Troubleshooting/Debugging - cLACP • Show cLACP System MAC:

• Show cLACP System ID:

• Show port-channel summary

Troubleshooting/Debugging - cLACP • show port-channel brief

Troubleshooting/Debugging - cLACP • show port-channel brief (continued)

Troubleshooting/Debugging - Crash • Crash scenarios • Slave unit crash • Crashinfo and Coredump can be saved locally (if enabled) • Can view crashinfo on master unit after slave unit reboots and re-joins cluster • Console# cluster exec unit slave_A show crashinfo

•

Master unit crash • • •

Crashinfo and Coredump can be saved locally (if enabled) If health-check is disabled, cluster is destroyed If health-check is enabled, new master is elected

•

Extra information appended to 'sh tech' and 'sh crashinfo' • •

show cluster info show asp cluster counter

Troubleshooting/Debugging – Load balancing • If customers observe one unit has much higher cpu/memory usage than other units, one

possible reason is that the switch’s port-channel load-balance configuration is inefficient. • To check whether the port-channel load-balance is optimal or not, users can check the traffic

rate statistics under member ports on the switch. • For Catalyst 6K, users can use CLI ‘clear counters interface’ on all members ports of a port-

channel on switch. Traffic can then be allowed to go through the cluster. • After observing unbalanced resource usage among cluster units, users can check the traffic

statistics of port-channel member ports on the switch by CLI ‘show interface’ on all member ports. • Higher traffic statistics indicate greater traffic for that particular ASA

• For Nexus7K, the ‘show port-channel traffic’ CLI shows Rx and Tx load percentage of each

member port of a port-channel interface. CLI ‘clear counter interface port-channel ’ clears the statistics.

Troubleshooting/Debugging – Debug CLI • Clustering Debug CLI

• More Cluster Debug CLI

ciscoasa(config)# debug cluster

?

exec mode commands/options: <1-255> Specify an optional dbg level (default is 1) ccp cluster control protocol datapath cluster datapath events fsm cluster finite state machine general cluster general events hc cluster health check license cluster license rpc cluster RPC module transport Cluster transport service ciscoasa(config)# sh cluster info ? exec mode commands/options: clients Show version of register clients conn-distribution Show connection distribution in cluster incompatible-config Show commands that are incompatible with clustering in current running configuration loadbalance Show load balancing information old-members Show former members in cluster packet-distribution Show packet distribution in cluster trace Show clustering control module event trace transport Show transport related statistics | Output modifiers

Clustering Syslogs • Syslog messages contains three parts: PRI, HEADER and MSG • Changes are made to HEADER field (timestamp and device-id) in Clustering • Each ASA can insert it’s local timestamp in the HEADER field. Time is sync'ed periodically

across the cluster • console# logging timestamp

• Each ASA can insert it's unique local IP address as DEVICE ID in the HEADER field • console# logging device-id ipaddress • ASA will insert local IP address in layer-3 mode and virtual system IP in layer-2 mode • console# logging device-id • To use cluster-id in the syslog header

Clustering Syslogs - Cont • Syslog over UDP •

Recommended configuration. Each ASA sends syslog independently

• Syslog over TCP • •

Each ASA opens it's own connection with the collector Return traffic might arrive on a different ASA unit. Gets forwarded to owner unit

• Syslog to ftp-server • •

Similar to Syslog over TCP File name format: LOG--YYYY-MM-DDHHMMSS.TXT

Clustering Syslogs - Cont • 747004 • Error Message %ASA-6-747004: Clustering: state machine changed from state state-name to statename. • Explanation The cluster FSM has progressed to a new state. • 747020 • Error Message %ASA-4-747020: Clustering: New cluster member unit-name rejected due to encryption license mismatch. • Explanation The master unit found that a new joining unit has an incompatible encryption license.

• 747021 • Error Message %ASA-3-747021: Clustering: Master unit unit-name is quitting due to interface health check failure on interface-name. • Explanation The master unit has disabled clustering because of an interface health check failure.

Clustering Syslogs - Cont • 747022 • Error Message %ASA-3-747022: Clustering: Asking slave unit unit-name to quit because it failed interface health check x times, rejoin will be attempted after y min. Failed interface: interface-name. • Explanation This syslog message occurs when the maximum number of rejoin attempts has not been exceeded. A slave unit has disabled clustering because of an interface health check failure for the specified amount of time. This unit will re-enable itself automatically after the specified amount of time (ms).

• 747030 • Error Message %ASA-3-747030: Clustering: Asking slave unit unit-name to quit because it failed interface health check x times (last failure on interface-name), Clustering must be manually enabled on the unit to re-join. • Explanation An interface health check has failed and the maximum number of rejoin attempts has been exceeded. A slave unit has disabled clustering because of an interface health check failure.

Other ‘cluster show’ commands (cont) • Display aggregated current and denied resource usage: • show cluster resource usage

• Display aggregated cluster-wide traffic statictics • show cluster traffic • Display aggregated statistics for user and user group identity • show cluster user-identity user all list detail • show cluster user-identity statistics • show cluster user-identity user-group • show cluster user-identity user

Other ‘cluster show’ commands (cont) • show cluster conn count

ASA Clustering – Capture • cluster exec capture [variables….] • Most common variables for capture command are: • interface • match • access-list • Buffer • cluster exec capture ICMP interface INSIDE match icmp any any •

• • • • •

Obtaining the captures for further analysis: Via CLI: copy /pcap capture:/ flash:/ Via HTTP: https:///capture//pcap NOTE: This will only capture the pcap file from the Master unit

ASA Clustering – Capture (cont) • Display captures already configured • cluster exec show capture

• Delete a capture • cluster exec no capture

© 2010 Cisco and/or its affiliates. All rights reserved.

105

Migração Failover para ASA cluster • On the ASA, break the failover between the ASAs by issuing the “no failover” command on both

the ASAs. • Clear all configuration on the previously Primary and Secondary ASAs(make sure the

configuration has been backed up). • Set the interface mode on all the ASAs using the command “cluster interface-mode". • Configure and enable clustering on the master ASA. • Restore all configuration to the master ASA, except the failover configuration. • Configure and enable clustering on the other slave ASAs. • As the ASA failover migration to a cluster setup will interrupt the applications and traffic flow at

that site, it is mandatory to take down time for this activity.

Reference Information • http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-

cli/ha-cluster.html • https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=78721&tclass=popu

p • http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-

H/cmdref1/c4.html • http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-

reference/S/cmdref3/s4.html#pgfId-1624536

Faça suas perguntas agora! Use o painel de P&R para enviar sua pergunta e nossos especialistas irão responder

Cisco Support Community Webcast em Português XR com ASR9000

Quarta-feira, 18 de Maio de 2016

Fernando Gonçalves Customer Support Engineer

Cisco Support Community Português – Pergunte ao especialista CUBE – Configuração e Troubleshooting

Disponível até o dia 22 de Abril de 2016

Eddwan Hallen da Silva Customer Support Engineer

Cisco Support Community Português – Pergunte ao especialista Media Gateway Control Protocol - MGCP

Disponível entre os dias 9 a 20 de Maio de 2016

Moises Moza Customer Support Engineer

Programa Participantes em destaque O reconhecimento como "Participantes em Destaque" da comunidade é entregue para os membros que demonstrem liderança e compromisso como participantes de cada comunidade. Categorias: O Novato Melhor Publicação Escolha da audiência

Como participar? Postando conteúdos: Documentos, Blogs, vídeos.

Colabore com nossos canais de Mídias Sociais

Saiba sobre os próximos eventos

A Cisco possui Comunidades de Suporte em outras linguas! Se você fala Inglês, Espanhol, Japonês, Russo ou Chinês, nós convidamos você para participar e colaborar em outras linguas.

Spanish https://supportforums.cisco.com/community/spanish

Portuguese https://supportforums.cisco.com/community/portuguese Japanese https://supportforums.cisco.com/community/csc-japan Russian https://supportforums.cisco.com/community/russian Chinese http://www.csc-china.com.cn

Avalie Nosso Conteúdo

Agora suas avaliações sobre os documentos, vídeos e blogs darão pontos aos autores !!! Então, quando você contribuir e receber ratings, você poderá obter os pontos em seu perfil.

Incentivar e reconhecer as pessoas que generosamente compartilham seu tempo e experiência

Ajude-nos a reconhecer o conteúdo de qualidade na comunidade e tornar as suas pesquisas mais fácil. Avalie o conteúdo na comunidade.

A sua opinião é importante para nós! Para preencher a pesquisa de satisfação, aguarde um momento e a pesquisa aparecerá automaticamente ao fechar o browser da sessão.

Obrigado!