Cisco Support Community
Expert Series Webcast Conheça mais sobre ASA Cluster Henrique Reis Cisco Advanced Services Apr 20, 2016
Expert Series Webcast ao vivo Conheça mais sobre ASA Cluster Henrique Reis colabora na Cisco como consultor de redes no time de Advanced Services na prática de Segurança para a América Latina. Anteriormente, Henrique trabalhou como engenheiro de suporte (HTE - High Engenheiro Touch) para os clientes do setor Financeiro como bancos (Itaú) e bolsa de valores (BVMF) também já foi instrutor Cisco para Cisco Academy para CCNA e CCNP. Conta com as certificacoes da Cisco: Cisco Certified Internetwork Expert (CCIE R & S) # 22233 CCIE Segurança – Escrito, Formação SourceFire, CCNP Routing e Switching, CCNA Routing e Switching, Cisco Certified Associate projeto (CCDA), Cisco Certified Internetwork Expert (CCIE Segurança) em andamento, CCAI (Cisco Certified Academy Instructor) entre outras.
Henrique Reis
Obrigado por estar com a gente hoje! Durante a apresentação, serão feitas algumas perguntas para o público. Dê suas respostas, participe!
Obrigado por estar com a gente hoje!
Se você deseja uma cópia dos slides da apresentação, vá ao link: https://supportforums.cisco.com/pt/document/12731976
Envie a sua pergunta agora! Use o painel de perguntas e respostas (P&R) para enviar suas perguntas, os especialistas irão responder em tempo real.
Polling Question 1
Qual a versão inicial para suporte ao ASA Cluster? a) 8.0 b) 5.0
c)
7.0
d) 9.0
Conheça mais sobre ASA Cluster Cisco Support Community Expert Series Webcast Henrique Reis Cisco Advanced Service Apr 20, 2016
Agenda • Clustering – Introdução • Clustering - Operação • Clustering – Modos de Operação • Tipos de fluxos • Exemplos de Conexões
• Clustering – ASA Funções • Configurando Clustering via CLI • Configurando Clustering via ASDM • Troubleshooting/Debugging • Q/A
Introdução • Clustering refere-se a uma forma de conectar múltiplos Firewalls ASA para formar um único
firewall lógico, de tal modo que seja transparente para os usuários e oferece uma maior escalabilidade.
Introdução (continuação) • Os novos Data center requerem soluções de Firewalls, de segurança com capacidade maior
que 40Gbps de throughput. • A solução de Clustering pode escalar até 640 Gbps de trafego agregado • O cluster pode conter até 16 unidades de ASA • Uma unidade é designada como master (mestre) e as demais são denominadas como slave
(escravas) • Todas os Firewalls ASA tem um interface (conexão) dedicada entre eles conhecida como
Cluster Control Link (CCL) • Mensagens de Keepalive/CP/DP são enviadas sobre este link
Introdução (continuação) • Fator de Escala • Quando se combina varios ASAs dentro de um cluster temos um ganho de performance aproximado de: • 70% do throughput combinado • 60% do maximo de conexões • 50% do número de conexões por segundo
• Por exemplo, o throughput do modelo ASA 5585-X com SSP-40 chega até 10 Gbps quando
rodando em stand alone. Mas com o cluster de 8 ASAs, o throughput combinado chega até 70% de 80 Gbps (8 ASAs x 10 Gbps): 56 Gbps.
Introdução (continuação) • Clustering é suportado nos seguintes modelos: 5512-X, 5515-X, 5525-X, 5545-X, 5555-X,
5585-X e 5580 • A versão mínima para funcionamento do Cluster é a 9.0 • As unidades do Cluster não necessitam da mesma licença. Geralmente se compra a licença
somente para o Master e as demais unidades compartilham essa licença. Se existirem licenças diversificadas nas unidades do Cluster elas são combinadas respeitando o limite da plataforma ou seja a capacidade de Hardware. • Nota: Mas cada unidade deve ter licença de Cluster individual, a mesma licença de encriptação e a licença de 10 GE I/O • Todas as unidades do cluster devem ter o mesmo hardware • Um protocolo proprietário é usada para controle e balanceamento dentro do Cluster
Requisitos para funcionamento do Cluster Para ativação de um cluster ASA, são necessários os seguintes requisitos: • Conectividade de fibra usada para o CCL – Cluster Control Link; • Latência do link CCL menor que 10ms (RTT); • Links sem qualquer tipo de degradação, tais como: perda de pacotes, pacotes fora de ordem
ou atrasos devido a congestionamento; • CCL deve ser dimensionado para levar em conta a assimetria de tráfego. A assimetria deve
ser minimizada pelos dispositivos externos ao ASA; • Mesmo Hardware de Firewalls para os membros do Cluster; • Aumento do MTU no link CCL de 1500 para 1600; • Spanning-tree Portfast nas portas dos Switches para o CCL.
Operação • Cluster ASA não faz balanceamento de carga e fluxos. • Assume-se que os mecanismos externos estão no local para garantir que os pacotes e fluxos de
tráfego sejam balanceados para cada membro do cluster.
Operação (Continuação) • Clustering é diferente do modelo Ativo-Ativo tradicional. • Todas as unidades do cluster tem a mesma configuração • Podem passar ativamente tráfego. No caso de uma falha, a conectividade é mantida através dos
clusters graças ao compartilhamento da tabela de estados das conexões para pelo menos outra unidade backup no cluster. • Cada fluxo tem sua replicação para uma unidade diferente dentro do cluster, para casos de
falhas.
Operação (Continuação)
ASA Clustering – Funções • Master e Slaves • O Master é determinado por: • 1. Primeiro ASA adicionado no cluster • 2. Maior prioridade configurada (entre 1 e 100). 1 é a maior. • 3. Hostname e por ultimo S/N • Nota: Se um ASA faz o join (entra) no cluster depois que um master já foi escolhido mesmo com maior prioridade, não há uma nova eleição. • Não tem preemption • O Master administra todas as funções centralizadas e a parte de gerência.
ASA Clustering – Tipos de Interfaces • CDL (Spanned Etherchannel) • CCL (Local Etherchannel) • CDL – Trafego de data plane • CCL inclui o trafego de dados e controle • Tráfego de Controle: • Eleição do Master • Replicação da Configuração • Monitoração de status
• Tráfego de Dados: • Replicação da tabela de status • Encaminhamento de trafego entre as unidades
ASA Clustering – State Transition Boot
Look for Master on Cluster Control Link
Election
Wait 45 seconds before assuming Master role
Master already exists
Ready to
Slave Config pass traffic and Bulk Sync
Master admits 1 unit at a time
On-Call Master ASA/master# show cluster history ========================================================================== From State To State Reason ========================================================================== 15:36:33 UTC Nov 3 2014 DISABLED DISABLED Disabled at startup 15:37:10 UTC Nov 3 2014 DISABLED ELECTION Enabled from CLI 15:37:55 UTC Nov 3 2014 ELECTION MASTER Enabled from CLI ==========================================================================
Slave
Sync or health failure Health failure
Disabled
ASA/master# show cluster info Cluster sjfw: On Interface mode: spanned This is "A" in state MASTER ID : 0 Version : 9.2(1) Serial No.: ART1434AERL CCL IP : 1.1.1.1 CCL MAC : 5475.d029.8856 Last join : 15:37:55 UTC Nov 3 2014 Last leave: N/A
Transparent vs Routed Mode SVI 1002 HSRP VIP
SVI 1002 HSRP VIP
outside interface VLAN 1002
ASA CLUSTER mode
VLAN Translation inside interface VLAN 1001 VLAN 1001
ASA CLUSTER mode
outside interface VLAN 1002 IP2
L3 sub-interface using VLAN tag-id 1002
inside interface VLAN 1001 IP1
L3 sub-interface using VLAN tag-id 1001
VLAN 1001
Modos de Operação - Interfaces • As interfaces no cluster podem ser configuradas • Layer-2 mode • Layer-3 mode
• Layer-2 mode: • As interfaces do ASA são agrupadas em um EtherChannel • EtherChannel – Agregação das interfaces físicas para formar um Port-channel logico usando Link Aggregation Control Protocol (LACP) • Um switch pode usar EtherChannel para balancear o tráfego entre os ASAs onde todas as unidades compartilham um endereço virtual IP e MAC, logicamente se tornando um gateway único
• Layer-3 mode: • Cada Interface possui o seu próprio endereço IP e seu endereço MAC • Um roteador pode usar PBR (Policy Based Routing) ou ECMP (Equal Cost MultiPath routing) para balancear o tráfego entre os ASAs.
ASA Cluster em modo Spanned • No cluster ASA operando em “spanned” as interfaces são agrupadas em um Etherchannel
usando o protocolo LACP. • As mesmas interfaces operando dentro desse Etherchannel compartilham um endereço IP e
um endereço MAC virtual definido para todo o cluster, funcionando como uma única interface lógica. • O dispositivo de camada 3 conectado utiliza um mecanismo ECLB (Balanceamento de carga
de mesmo custo) para balancear a carga de fluxos de cada ASA. • Cada interface também tem seu próprio endereço MAC privado, que é usado pelo LACP caso
auto negociação esteja habilitado. • Para outras requisições como por exemplo, ARP, cada unidade do cluster usa o MAC virtual.
ASA Cluster em modo Spanned
ASA Cluster em modo Individual • No cluster ASA operando em modo “individual”, as interfaces de cada ASA terão seu próprio
endereço IP e endereço MAC. • O roteador upstream usa PBR ou ECMP para balancear a carga de fluxos para unidades
individuais no cluster. • Protocolos de roteamento dinâmico podem ser utilizados. • No modo de interface “individual”, cada unidade do cluster calcula e excuta o protocolo de
roteamento individualmente e as rotas da tabela de roteamento são aprendidas por cada unidade de forma independente.
ASA Cluster em modo Individual
ASA Cluster em modo Spanned Transparent • Com o firewall trabalhando em modo transparente, o mesmo não participa do roteamento e atua
somente como um switch camada 2. • Usando um bridge-group que interliga interfaces de entrada e saída. • No modo transparente o ASA recebe o trafego com ID de uma VLAN de entrada e reescreve
esse ID com uma VLAN de saída. • Com o ASA operando em transparente a única opção de cluster suportada ate o momento da
escrita desse documento é o Spanned.
Quais os dois modos de operação do ASA Cluster? (escolha duas opções)
Polling Question 2
a) Spanned b) Active c)
Standby
d) Individual e) Stand-alone
Conexões - Fluxos • O estado (IP dest, IP origem, portas, protocolo) de cada conexão é mantido pelo ‘owner’ da
conexão • Se um pacote de uma conexão ja estabelecida chega em um membro do Cluster que não seja
o owner, ela é encaminhada pelo Cluster Control Link (CCL) • O primeiro membro do cluster que recebe uma conexão TCP/UDP (non-inspection) é
designado como owner • A tabela de estado é mantida (backup) num outro ASA conhecido como ‘director’ • Director (único) selecionado por um hash para cada conexão • Qualquer membro pode consultar o Director para descobrir o owner da conexão.
Outside Network
Inside Network
Owner
Server
Client Director
ASA Cluster • Connection setup overhead when traffic is symmetric State replication from Owner to Director, also serves as failover message to provide redundancy should owner fail.
• Director is selected per connection using consistent hashing algorithm. 29
Outside Network
1: State upda te
Inside Network
SYN
Owner SYN
Server
Client Director
ASA Cluster • Connection setup overhead when traffic is symmetric State replication from Owner to Director, also serves as failover message to provide redundancy should owner fail.
• Director is selected per connection using consistent hashing algorithm. 30
SYN/ACK
Outside Network
SYN/ACK 1: State upda te
Inside Network
SYN
Owner SYN
Server
Client Director
ASA Cluster • Connection setup overhead when traffic is symmetric
State replication from Owner to Director, also serves as failover message to provide redundancy should owner fail. • Director is selected per connection using consistent hashing algorithm.
31
Owner
Outside Network
1: State upda te
Inside Network
SYN
SYN
Server
Director Client
Forwarder
ASA Cluster •
Director is selected per connection using consistent hashing algorithm
•
Director also server as backup should owner fail
•
Optimization exist in implementation to eliminate step 2 and 3 when appropriate
32
Owner
Outside Network
1: State upda te
Inside Network
SYN
SYN
Server
Director Client SYN/ACK
Forwarder
ASA Cluster •
Director is selected per connection using consistent hashing algorithm
•
Director also server as backup should owner fail
•
Optimization exist in implementation to eliminate step 2 and 3 when appropriate
33
Owner
Outside Network
1: State upda te
Inside Network
SYN
SYN
Server
Director 2: Owne r Query
3:Ow ner locati on
Client
SYN/ACK
Forwarder
ASA Cluster •
Director is selected per connection using consistent hashing algorithm
•
Director also server as backup should owner fail
•
Optimization exist in implementation to eliminate step 2 and 3 when appropriate
34
Owner
2: Owne r Query
3:Ow ner locati on
Client
Outside Network
Director
After step 4, All remaining packets are forwarded directly to owner
SYN/ACK
1: State upda te
Inside Network
SYN
SYN
Server
SYN/ACK
Forwarder
ASA Cluster •
Director is selected per connection using consistent hashing algorithm
•
Director also server as backup should owner fail
•
Optimization exist in implementation to eliminate step 2 and 3 when appropriate
35
Outside Network
Inside Network
Owner Packet N Packet M
Packet N+1
Node X Packet M+1
Director
Server
Client Node Y
ASA Cluster 36
Outside Network
Inside Network
Owner
Node X
Director Server Client Node Y
ASA Cluster 37
Outside Network
Inside Network
Owner
Packet N+1
Node X Packet M+1
Director
Server
Client Node Y
Packet M+1
ASA Cluster 38
Outside Network
Inside Network
Owner
Packet N+1 1: Owne r Query
Node X
Client
2: Owne r Query
Director
Node Y
Server
Packet M+1
ASA Cluster 39
Node X
3: You are owner now
1: Owne r Query
4: Owner is Node X
Packet M+1
Node Y
Server 2: Owne r Query
Director
Outside Network
Inside Network
Client
Owner
Packet N+1
ASA Cluster
40
Packet N+1 Packet N+1
Node X
3: You are owner now
1: Owne r Query
4: Owner is Node X
Packet M+1
Node Y
Server 2: Owne r Query
Director
Outside Network
Inside Network
Client
Owner
ASA Cluster
41
Node X
Packet N+1 Packet N+1
Packet M+1
4: Owner is Node X
Packet M+1
Node Y
Server 2: Owne r Query
Director
3: You are owner now
1: Owne r Query
Packet M+1
Outside Network
Inside Network
Client
Owner
ASA Cluster
42
UDP connection build-up ASA Cluster
inside 1. Attempt new UDP or another pseudostateful connection
Client
outside
Flow Owner
2. Query Director
3. Not found
10. Deliver response to Client 8. Return Owner
5. Update Director
Flow Director
Flow Forwarder
7. Query Director
4. Become Owner, deliver to Server 9. Redirect to Owner, become Forwarder
6. Respond through another unit
Server
Dimensionamento CCL • É recomendável que a banda do CCL seja pelo menos 50% da banda utilizada pelo tráfego de
dados. • Ex. Se o cliente usa 20G de tráfego para dados, então o CCL deveria ter pelo menos 10GB de
banda. • Motivo: O algoritmo de balanceamento utilizado pelo Switches pode tornar as conexões
assimétricas. Como tal, é possível que o tráfego atinja um membro diferente do owner da conexão. Assim o CCL vai corrigir isso enviando a conexão para o owner. • Esse encaminhamento é feito pelo CCL.
Dimensionamento funções ASA • As funções que são suportadas no ASA são divididas em centralizadas ou distribuídas • Todos os pacotes para funções centralizadas são processadas pelo Master • Funções Centralizadas: • • • • • • • •
Filtering Services Inspect (DCERPC, ESMTP, IGMP, NetBios, PPTP, Radius, RSH, SNMP, SUNRPC, TFTP, XDMCP) IGMP PIM L2 Dynamic Routing L3 Multicast Data Traffic VPN: L3/IKEv1 and L3/IKEv2 VPN management access
• * Currently we do not support all inspection protocols
Dimensionamento funções ASA (cont.) • Funções Distribuídas: • DNS • NAT • TCP intercept, others…..
Funções não suportadas • As seguintes funções não são suportadas quando operando em Clustering e não podem ser
configuradas: Auto Update Server
Failover
Inspect CTIQBE
Inspect WCCP
Inspect SIP
Inspect RTSP
Inspect WAAS
Inspect MGCP
Inspect MMP
Inspect Skinny
Inspect H323, H325
Inspect RAS
Inspect GTP
UC/IME/Phone Proxy
TLS Proxy
BTF
DHCP client, server, relay
NAC
VPN Remote Access
VPN Load Balancing
New Centralized Connection ASA Cluster
inside 1. Attempt new connection
Client
Forwarder
4. Update Director
outside 2. Recognize centralized feature, redirect to Master, become Forwarder
Server
Flow Director
Master
3. Become Owner, deliver to Server
SYN packet from client sent to non-master unit (redirecter) The redirecter forwards packet to master unit (forwarding flow) Master unit creates flow and forwards packet to server Master unit sends state update to Director unit On reverse path, if the packet hits a non-master unit, a query is sent to the director and a forwarding flow to the master unit is created thereafter.
Funções Adicionais • NAT • NAT estático e PAT funcionam sem nenhuma mudança • NAT estáticos são criados através de configuração e mantidos pelo Master. São criadas usando o comando static dentro da configuração de um objeto. • NAT dinâmico é criado e mantido pelo Master e replicado para os outros membros do cluster. • Quando uma nova conexão é recebida por um membro do cluster que necessita de NAT essa unidade faz a requisição para o Master.
Funções Adicionais - NAT • Considerações Especiais sobre NAT • Quando cluster em Indivual mode, Proxy-ARP reply nunca é enviado. • Isso não ocorre quando cluster em Spanned pois só temos um endereço IP • PAT interface não pode ser usado quando o cluster operando em modo Individual
Funções Adicionais – Health Check • Cluster Health-Check possui duas partes 1. Unit health-check • Confia em troca de mensagens keepalive entre as unidades para monitorar o status dos membros ativos no cluster • O valor de Hold-time determina o intervalo de tempo que o membro do cluster é considerado como tendo deixado o cluster
2.
Interface health-check
• Verifica a mudança de status do link das interface para monitorar se as interface estão ativas pu não em um membro do cluster.
Funções Adicionais – Interface Health Check • Interface health-check verifica o status das interfaces usados para dados, exemplo, interfaces
físicas, Port-channels, ou sub-interfaces. • Quando a interface de um membro vai para Down, ele verifica com os demais membros do
cluster se a mesma interface esta UP. • Se ele detecta que a mesma interface esta UP, ele se remove do cluster. • Um membro que saiu do cluster pelo health-check de interface irá tentar fazer o re-join no
cluster depois de 5 minutos.
Funções Adicionais – Interface Health Check • Se a interface continuar em falha (Down) aquela unidade se remove novamente do cluster e
espera agora por 10 minutos antes de tentar um novo re-join no cluster. • Depois dos 10 minutos de a interface continuar em falha o ASA espera por 20 minutos antes
de tentar um novo re-join no cluster. • Se apos o período de 20 minutos o link continuar fora o cluster é desabilitado e somente pode
ser habilitado manualmente entrando na configuração de cluster.
Funções Adicionais (cont) • Roteamento Dinamico • No modo Spanned, roteamento é executado apenas no Master • O Master faz a replicação das rotas nas demais unidades do cluster • No modo Individual, cada membro do cluster roda o protocolo de roteamento em separado • Sincronização de Bases • Todas os membros do cluster executam sincronização das bases de dados quando: • •
owner/director é removido Um novo membro é adicionado no cluster
• ARP, informação de roteamento, configuração, etc. são sincronizados
Funções Adicionais (cont) • VPN • VPN Site-to-Site (L2L) é centralizado no Master • Se temos uma mudança de Master no cluster as sessões VPN vão precisar ser reestabelecidas • No modo Individual o IP que as sessões vão usar para fechar VPN é o IP definido como IP do Master dentro do pool de endereços IP que as outras unidades iram utilizar. • ip address 10.1.1.1 255.255.255.0 cluster-pool mgmt
Polling Question 3
Quantos membros pode ter a solução de ASA Cluster? a) 9 b) 8
c)
13
d) 16
Configuração - ASA Cluster em modo Spanned Transparent
•
vPC/vPC+
Configure ASA Firewall to operate in transparent mode:
ASA-1(config)# firewall transparent
•
Check License for cluster mode:
ASA-1# sh activation-key | grep Cluster Cluster : Disabled perpetual
•
Generate License key for cluster mode and activate it:
ASA-1(config)# activation-key aa34d768 c03b93fa 1dd3e97c c4d4c8d4 4e28eca7
•
Check license is correctly installed:
ASA-1# sh activation-key | grep Cluster Cluster : Enabled
perpetual
Cluster Control Link
Staging Phase – Per ASA FW
Use console port for this phase
Cluster Data Link
ASA Configuration
ASA Cluste r
• Configure cluster interface-mode with ‘spanned’ parameter: ASA-1(config)# cluster interface-mode spanned
• Configure Cluster Control Link (CCL) as port-channel: interface TenGigabitEthernet0/8 channel-group 40 mode active no nameif no security-level ! interface TenGigabitEthernet0/9 channel-group 40 mode active no nameif no security-level ! interface Port-channel40 • description Clustering Interface
Generate License key for cluster mode and activate it:
Cluster Control Link
vPC/vPC+
Cluster Data Link
Use console Configuration – Per ASA FW port for this phase
ASA Cluste r
cluster group ASA-CLUSTER key
local-unit ASA-1 cluster-interface Port-channel40 ip 99.99.99.1 255.255.255.0 priority 1 console-replicate health-check holdtime 3 clacp system-mac auto system-priority 1 enable
device
IP address for CCL
ASA-1
99.99.99.1
ASA-2
99.99.99.2
• Note:
Allocate 1 unique IP for Po40 per ASA FW
Cluster Control Link
• Configure cluster group:
vPC/vPC+
Cluster Data Link
Use console Configuration – Per ASA FW port for this phase
ASA Cluste r
•
interface TenGigabitEthernet0/6 channel-group 32 mode active vss-id 1 no nameif Configure Cluster Data Link as port-channel: no security-level ! interface TenGigabitEthernet0/7 channel-group 32 mode active vss-id 2 no nameif no security-level ! interface Port-channel32 port-channel load-balance vlan-src-dst-ip-port port-channel span-cluster vss-load-balance no nameif no security-level !
Port connected to 7K1 Port connected to 7K2 Cluster Link Aggregation Control Protocol (cLACP) is designed to extend standard LACP to multiple devices so that it can support spancluster Etherchannels/port-channels in ASA clustering deployment
Cluster Control Link
vPC/vPC+
Cluster Data Link
Use console port for this Configuration – Centrally Managed phase Starting from this point, all ASA are now port of the cluster and configuration is centrally managed
ASA Cluste r
•
Configure inside and outside interfaces (port-channel sub-interfaces) with same bridge-group interface Port-channel32.1001 mac-address 0001.0001.0001 vlan 1001 nameif inside bridge-group 1 security-level 100 ! interface Port-channel32.1002 mac-address 0002.0002.0002 vlan 1002 nameif outside bridge-group 1 security-level 0 !
interface BVI1 ip address 10.101.10.200 255.255.255.0 •
Configure BVI interface for the above bridge-group:
Best practice: In cluster mode, it is strongly recommended to configure a virtual MAC on the span-cluster port-channel (or sub-interface) to make the port-channel MAC stable in cluster
Cluster Control Link
vPC/vPC+
Cluster Data Link
ASA Cluste r
•
Configure ip local pool for management ports:
ASA-1(config)# ip local pool mgmt 172.26.246.253-172.26.246.254 •
Configure management0/0 port:
interface Management0/0 Virtual IP Address management-only for the ASA cluster nameif management security-level 0 ip address 172.26.246.252 255.255.255.0 cluster-pool mgmt •
•
Define IP default GW for Management0/0 port: ASA-1(config)# route management 0.0.0.0 0.0.0.0 172.26.246.1 1 Allow SSH access for specific subnet of network:
ssh management ssh timeout 5
Each ASA in the cluster will be allocated with 1 address in the IP pool ‘mgmt’
Cluster Control Link
vPC/vPC+
Cluster Data Link
Management0/0 and SSH Access
Use console port for this phase
ASA Cluste r
Filtering Rule – Enable all Traffic • Apply the following filtering rules to enable all traffic on outside and inside
interfaces: access-list inbound extended permit ip any any access-list outbound extended permit ip any any access-group outbound in interface inside access-group inbound in interface outside
• Note: these filtering rules only apply for the purpose of this presentation. In
production environment, configure filtering rules as needed.
Configuração - ASA Cluster em modo Spanned Routed
•
vPC/vPC+
Configure ASA Firewall to operate in routed mode:
ASA-1(config)# no firewall transparent
•
Check License for cluster mode:
ASA-1# sh activation-key | grep Cluster Cluster : Disabled perpetual
•
Generate License key for cluster mode and activate it: ASA-1(config)# activation-key aa34d768 c03b93fa 1dd3e97c c4d4c8d4 4e28eca7
•
Check license is correctly installed: ASA-1# sh activation-key | grep Cluster Cluster : Enabled
perpetual
Cluster Control Link
Staging Phase – Per ASA FW
Use console port for this phase
Cluster Data Link
ASA Configuration
ASA Cluste r
•
Configure cluster interface-mode with ‘spanned’ parameter: ASA-1(config)# cluster interface-mode spanned
•
Configure Cluster Control Link (CCL) as port-channel:
interface TenGigabitEthernet0/8 channel-group 40 mode active no nameif no security-level ! interface TenGigabitEthernet0/9 channel-group 40 mode active no nameif • no Generate License key for cluster mode and activate it: security-level ! interface Port-channel40 description Clustering Interface
Cluster Control Link
vPC/vPC+
Cluster Data Link
Use console Configuration – Per ASA FW port for this phase
ASA Cluste r
Configure cluster group:
cluster group ASA-CLUSTER key local-unit ASA-1 cluster-interface Port-channel40 ip 99.99.99.1 255.255.255.0 priority 1 console-replicate health-check holdtime 3 clacp system-mac auto system-priority 1 • enable Note: Allocate 1 unique IP for Po40 per ASA FW device
IP address for CCL
ASA-1
99.99.99.1
ASA-2
99.99.99.2
‘Enable’ command at the end of cluster configuration will effectively start the cluster mode. Use enable / no enable to start / stop cluster mode
Cluster Control Link
•
vPC/vPC+
Cluster Data Link
Use console Configuration – Per ASA FW port for this phase
ASA Cluste r
vPC/vPC+
Starting from this point, all ASA are now port of the cluster and configuration is centrally managed. •
Configure Cluster Data Link as port-channel:
interface TenGigabitEthernet0/6 channel-group 32 mode active vss-id 1 no nameif no security-level ! interface TenGigabitEthernet0/7 channel-group 32 mode active vss-id 2 no nameif no security-level ! interface Port-channel32 port-channel load-balance vlan-src-dst-ip-port port-channel span-cluster vss-load-balance no nameif no security-level no ip address ! •
Port connected to 7K1 Port connected to 7K2 Cluster Link Aggregation Control Protocol (cLACP) is designed to extend standard LACP to multiple devices so that it can support spancluster Etherchannels/port-channels in ASA clustering deployment
Note: As configuration is centrally manage, the above commands will apply to all ASA in the cluster. That is why it is primordial to use the same port number for cluster data links.
Cluster Control Link
Use console Configuration – Centrally Managed port for this phase
Cluster Data Link
ASA Cluste r
•
Configure inside and outside interfaces (port-channel sub-interfaces) with associated IP addresses:
interface Port-channel32.1001 mac-address 0001.0001.0001 vlan 1001 nameif inside security-level 100 ip address 25.1.1.254 255.255.255.0 ! interface Port-channel32.1002 mac-address 0002.0002.0002 vlan 1002 nameif outside security-level 0 • ip Configure default10.101.10.10 static route pointing to HSRP VIP on Nexus 7000: address 255.255.255.0 ! •
Best practice: In cluster mode, it is strongly recommended to configure a virtual MAC on the span-cluster port-channel (or sub-interface) to make the port-channel MAC stable in cluster
servers located on VLAN 1001 will use this IP address (25.1.1.254) as default GW
Note: configuration on Nexus 7000:
route outside 0.0.0.0 0.0.0.0 10.101.10.254 1 interface Vlan1002 ip address 10.101.10.1/24 hsrp version 2 hsrp 1002 ip 10.101.10.254
This default static route is used for S -> N traffic (from ASA to Nexus 7000)
Cluster Control Link
vPC/vPC+
Cluster Data Link
ASA Cluste r
•
vPC/vPC+
Configure ip local pool for management ports:
ASA-1(config)# ip local pool mgmt 172.26.246.253-172.26.246.254 •
Configure management0/0 port:
interface Management0/0 Virtual IP Address management-only for the ASA cluster nameif management security-level 0 ip address 172.26.246.252 255.255.255.0 cluster-pool mgmt •
Each ASA in the cluster will be allocated with 1 address in the IP pool ‘mgmt’
Define static route with associated next-hop for Management0/0 port:
ASA-1(config)# route management 10.21.70.1 255.255.255.0 172.26.246.1 1 •
Allow SSH access for specific subnet of network:
ssh management ssh timeout 5
Cluster Control Link
Management0/0 and SSH access
Use console port for this phase
Cluster Data Link
ASA Configuration
ASA Cluste r
ASA Configuration
Filtering Rule – Enable all Traffic •
Apply the following filtering rules to enable all traffic on outside and inside interfaces:
access-list inbound extended permit ip any any access-list outbound extended permit ip any any access-group outbound in interface inside access-group inbound in interface outside •
Note: these filtering rules only apply for the purpose of this presentation. In production environment, configure filtering rules as needed.
Configuração - ASA Cluster em modo Individual
ASA Configuration
Use console Clustering Configuration – Per ASA FW port for this phase
•
Configure cluster interface-mode with ‘individual’ parameter:
ASA-1(config)# cluster interface-mode individual •
Configure Cluster Control Link (CCL) as port-channel:
interface TenGigabitEthernet0/8 channel-group 40 mode active no nameif no security-level ! interface TenGigabitEthernet0/9 channel-group 40 mode active no nameif • Generate License key for cluster mode and activate it: no security-level ! interface Port-channel40 description Clustering Interface
ASA Configuration
Use console Clustering Configuration – Per ASA FW port for this phase •
Configure cluster group:
cluster group ASA-CLUSTER key local-unit ASA-1 cluster-interface Port-channel40 ip 99.99.99.1 255.255.255.0 priority 1 console-replicate health-check holdtime 3 clacp system-mac auto system-priority 1 enable •
Note: Allocate 1 unique IP for Po40 per ASA FW device
IP address for CCL
ASA-1
99.99.99.1
ASA-2
99.99.99.2
ASA Configuration
Clustering Configuration – Centrally Managed Starting from this point, all ASA are now port of the cluster and configuration is centrally managed. •
Configure Cluster Data Link as port-channel:
ip local pool inside 10.10.10.6-10.10.10.9 ip local pool outside 209.165.201.2-209.165.201.5 ! interface TenGigabitEthernet0/6 nameif inside ip address 10.10.10.5 255.255.255.0 cluster-pool inside security-level 100 ! interface TenGigabitEthernet0/7 nameif outside ip address 209.165.201.1 255.255.255.224 cluster-pool outside security-level 0 ! interface Port-channel32 port-channel load-balance vlan-src-dst-ip-port port-channel span-cluster vss-load-balance no nameif no security-level no ip address !
Configure Cluster via ASDM (cont)
Configure Cluster via ASDM (cont)
Configure Cluster via ASDM (cont)
Configure Cluster via ASDM (cont)
Configure Cluster via ASDM (cont)
Configure Cluster via ASDM (cont)
Polling Question 4
Quando um ASA membro sai do Cluster por falha em alguma interface de dados, quais são os tempos de validação para este mesmo ASA tentar fazer o re-join no Cluster? a) 5, 10, 20 segundos
b) 3, 6, 12 minutos c)
5, 10, 20 minutos
d) 10, 20, 30 segundos
Monitoring and Troubleshooting commands • cluster exec allows to execute non-configuration commands on all members • show cluster interface-mode verifies current interface mode • show cluster history helps to understand state transitions and failure reasons • show cluster cpu helps to check CPU utilization across cluster • show cluster info shows the status
• show cluster info health helps to monitor aggregated unit health data • show cluster info trace shows cluster state machine debug data for Cisco TAC • show conn displays the number of active TCP and UDP connections
Connection Table and Roles • The connection table can display: • UIO – Owner flow • c – cluster centralized flow • Y – Director stub flow • y – Backup stub flow
• z – Forwarder stub flow
Troubleshooting/Debugging • Viewing connections in a cluster (TCP example)
• • • •
Deductions: ASA 3 is the owner of the connection (flags UIO) ASA 2 is the backup/director flow for this connection (flags Y) ASA 1 is receiving traffic for this flow on both inside and outside interfaces
Troubleshooting/Debugging (cont) • Viewing connections on individual ASAs:
ASA 1
ASA 2
ASA 3
Troubleshooting/Debugging (cont) • Check status of cluster members:
Troubleshooting/Debugging (cont) • Dynamic routing show commands • show route cluster
• Health-check show command
• Execute cluster –wide command • Eg. cluster exec show cpu (shows cpu usage on all units) • Eg. cluster exec unit A show cpu (shows cpu usage on unit A in cluster)
• Change prompt to reflect Cluster state • Use 'state' option
Troubleshooting/Debugging (cont) • Show activation-key is modified to include combined license information
Troubleshooting/Debugging - cLACP • Show cLACP System MAC:
• Show cLACP System ID:
• Show port-channel summary
Troubleshooting/Debugging - cLACP • show port-channel brief
Troubleshooting/Debugging - cLACP • show port-channel brief (continued)
Troubleshooting/Debugging - Crash • Crash scenarios • Slave unit crash • Crashinfo and Coredump can be saved locally (if enabled) • Can view crashinfo on master unit after slave unit reboots and re-joins cluster • Console# cluster exec unit slave_A show crashinfo
•
Master unit crash • • •
Crashinfo and Coredump can be saved locally (if enabled) If health-check is disabled, cluster is destroyed If health-check is enabled, new master is elected
•
Extra information appended to 'sh tech' and 'sh crashinfo' • •
show cluster info show asp cluster counter
Troubleshooting/Debugging – Load balancing • If customers observe one unit has much higher cpu/memory usage than other units, one
possible reason is that the switch’s port-channel load-balance configuration is inefficient. • To check whether the port-channel load-balance is optimal or not, users can check the traffic
rate statistics under member ports on the switch. • For Catalyst 6K, users can use CLI ‘clear counters interface’ on all members ports of a port-
channel on switch. Traffic can then be allowed to go through the cluster. • After observing unbalanced resource usage among cluster units, users can check the traffic
statistics of port-channel member ports on the switch by CLI ‘show interface’ on all member ports. • Higher traffic statistics indicate greater traffic for that particular ASA
• For Nexus7K, the ‘show port-channel traffic’ CLI shows Rx and Tx load percentage of each
member port of a port-channel interface. CLI ‘clear counter interface port-channel ’ clears the statistics.
Troubleshooting/Debugging – Debug CLI • Clustering Debug CLI
• More Cluster Debug CLI
ciscoasa(config)# debug cluster
?
exec mode commands/options: <1-255> Specify an optional dbg level (default is 1) ccp cluster control protocol datapath cluster datapath events fsm cluster finite state machine general cluster general events hc cluster health check license cluster license rpc cluster RPC module transport Cluster transport service ciscoasa(config)# sh cluster info ? exec mode commands/options: clients Show version of register clients conn-distribution Show connection distribution in cluster incompatible-config Show commands that are incompatible with clustering in current running configuration loadbalance Show load balancing information old-members Show former members in cluster packet-distribution Show packet distribution in cluster trace Show clustering control module event trace transport Show transport related statistics | Output modifiers
Clustering Syslogs • Syslog messages contains three parts: PRI, HEADER and MSG • Changes are made to HEADER field (timestamp and device-id) in Clustering • Each ASA can insert it’s local timestamp in the HEADER field. Time is sync'ed periodically
across the cluster • console# logging timestamp
• Each ASA can insert it's unique local IP address as DEVICE ID in the HEADER field • console# logging device-id ipaddress • ASA will insert local IP address in layer-3 mode and virtual system IP in layer-2 mode • console# logging device-id • To use cluster-id in the syslog header
Clustering Syslogs - Cont • Syslog over UDP •
Recommended configuration. Each ASA sends syslog independently
• Syslog over TCP • •
Each ASA opens it's own connection with the collector Return traffic might arrive on a different ASA unit. Gets forwarded to owner unit
• Syslog to ftp-server • •
Similar to Syslog over TCP File name format: LOG--YYYY-MM-DDHHMMSS.TXT
Clustering Syslogs - Cont • 747004 • Error Message %ASA-6-747004: Clustering: state machine changed from state state-name to statename. • Explanation The cluster FSM has progressed to a new state. • 747020 • Error Message %ASA-4-747020: Clustering: New cluster member unit-name rejected due to encryption license mismatch. • Explanation The master unit found that a new joining unit has an incompatible encryption license.
• 747021 • Error Message %ASA-3-747021: Clustering: Master unit unit-name is quitting due to interface health check failure on interface-name. • Explanation The master unit has disabled clustering because of an interface health check failure.
Clustering Syslogs - Cont • 747022 • Error Message %ASA-3-747022: Clustering: Asking slave unit unit-name to quit because it failed interface health check x times, rejoin will be attempted after y min. Failed interface: interface-name. • Explanation This syslog message occurs when the maximum number of rejoin attempts has not been exceeded. A slave unit has disabled clustering because of an interface health check failure for the specified amount of time. This unit will re-enable itself automatically after the specified amount of time (ms).
• 747030 • Error Message %ASA-3-747030: Clustering: Asking slave unit unit-name to quit because it failed interface health check x times (last failure on interface-name), Clustering must be manually enabled on the unit to re-join. • Explanation An interface health check has failed and the maximum number of rejoin attempts has been exceeded. A slave unit has disabled clustering because of an interface health check failure.
Other ‘cluster show’ commands (cont) • Display aggregated current and denied resource usage: • show cluster resource usage
• Display aggregated cluster-wide traffic statictics • show cluster traffic • Display aggregated statistics for user and user group identity • show cluster user-identity user all list detail • show cluster user-identity statistics • show cluster user-identity user-group • show cluster user-identity user
Other ‘cluster show’ commands (cont) • show cluster conn count
ASA Clustering – Capture • cluster exec capture [variables….] • Most common variables for capture command are: • interface • match • access-list • Buffer • cluster exec capture ICMP interface INSIDE match icmp any any •
• • • • •
Obtaining the captures for further analysis: Via CLI: copy /pcap capture:/ flash:/ Via HTTP: https:///capture//pcap NOTE: This will only capture the pcap file from the Master unit
ASA Clustering – Capture (cont) • Display captures already configured • cluster exec show capture
• Delete a capture • cluster exec no capture
© 2010 Cisco and/or its affiliates. All rights reserved.
105
Migração Failover para ASA cluster • On the ASA, break the failover between the ASAs by issuing the “no failover” command on both
the ASAs. • Clear all configuration on the previously Primary and Secondary ASAs(make sure the
configuration has been backed up). • Set the interface mode on all the ASAs using the command “cluster interface-mode". • Configure and enable clustering on the master ASA. • Restore all configuration to the master ASA, except the failover configuration. • Configure and enable clustering on the other slave ASAs. • As the ASA failover migration to a cluster setup will interrupt the applications and traffic flow at
that site, it is mandatory to take down time for this activity.
Reference Information • http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-
cli/ha-cluster.html • https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=78721&tclass=popu
p • http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-
H/cmdref1/c4.html • http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-
reference/S/cmdref3/s4.html#pgfId-1624536
Faça suas perguntas agora! Use o painel de P&R para enviar sua pergunta e nossos especialistas irão responder
Cisco Support Community Webcast em Português XR com ASR9000
Quarta-feira, 18 de Maio de 2016
Fernando Gonçalves Customer Support Engineer
Cisco Support Community Português – Pergunte ao especialista CUBE – Configuração e Troubleshooting
Disponível até o dia 22 de Abril de 2016
Eddwan Hallen da Silva Customer Support Engineer
Cisco Support Community Português – Pergunte ao especialista Media Gateway Control Protocol - MGCP
Disponível entre os dias 9 a 20 de Maio de 2016
Moises Moza Customer Support Engineer
Programa Participantes em destaque O reconhecimento como "Participantes em Destaque" da comunidade é entregue para os membros que demonstrem liderança e compromisso como participantes de cada comunidade. Categorias: O Novato Melhor Publicação Escolha da audiência
Como participar? Postando conteúdos: Documentos, Blogs, vídeos.
Colabore com nossos canais de Mídias Sociais
Saiba sobre os próximos eventos
A Cisco possui Comunidades de Suporte em outras linguas! Se você fala Inglês, Espanhol, Japonês, Russo ou Chinês, nós convidamos você para participar e colaborar em outras linguas.
Spanish https://supportforums.cisco.com/community/spanish
Portuguese https://supportforums.cisco.com/community/portuguese Japanese https://supportforums.cisco.com/community/csc-japan Russian https://supportforums.cisco.com/community/russian Chinese http://www.csc-china.com.cn
Avalie Nosso Conteúdo
Agora suas avaliações sobre os documentos, vídeos e blogs darão pontos aos autores !!! Então, quando você contribuir e receber ratings, você poderá obter os pontos em seu perfil.
Incentivar e reconhecer as pessoas que generosamente compartilham seu tempo e experiência
Ajude-nos a reconhecer o conteúdo de qualidade na comunidade e tornar as suas pesquisas mais fácil. Avalie o conteúdo na comunidade.
A sua opinião é importante para nós! Para preencher a pesquisa de satisfação, aguarde um momento e a pesquisa aparecerá automaticamente ao fechar o browser da sessão.
Obrigado!