ASA Clustering
Architecture
One cluster member is elected Master and the other devices are
Slaves. The first unit to join the cluster or based on a priority value will
become the Master unit. The Master device handles all configuration, management
and owns the VIP for the cluster. A new master is elected only if the current
Master is down.
The devices use a Cluster Control Link (CCL) for
intra-communication (cluster backplane). Each device must have at least one
hardware interface dedicated to this and the recommended design is to have an
Etherchannel. The CCL is used for the Master election, configuration
replication, health monitoring and state replication. Each cluster link needs
its own IP address on the same subnet.
Their are two (2) supported data interface modes.
Spanned Etherchannel –
Layer 2
- · Group one or more interfaces per unit into an EtherChannel that spans all units in the cluster.
- · The EtherChannel aggregates the traffic across all the available active interfaces in the channel.
- · This is the recommended design
- · All units use the same VIP and MAC
- Supports MCEC (VSS, vPC etc.)
Individual Mode – Layer 3
- · Each device has a seperate IP address on each data interface
- · Uses dynamic routing to load-balance traffic (Think ECMP)
- · Etherchannels are local to each member
- · Interface IPs are assigned from pools configured on the Master unit
In individual mode, each device maintains its own routing
adjacency. The disadvantage of this is slower convergence and higher processor
utilization due to each unit maintaining it’s own routing table. In spanned
Etherchannel mode, the Master ASA runs dynamic routing. Routing and ARP tables
are synchronized to the slave devices.
How the ASA manages
connections
When a connection is forwarded to a member of the cluster via
load balancing, that unit owns both directions of the connection. If any of
that connections packets arrive at a different unit, they are forwarded to the
owner device over the cluster control link. Because of this it is recommended
to have symmetric load-balancing. Symmetric load-balancing is required for both
directions of a flow to arrive at the same unit, and for flows to be
distributed evenly between ASAs.
For each connection there is also a device that acts as the
director. The director handles look-up requests from forwarders and also
maintains the connection state to serve as a backup if the owner fails. When
the owner receives a new connection, it chooses a director based on a hash
algorithm and sends a message to the director to register the new connection.