Cisco ASA Series Cli Configuration Manual page 267

Chapter 1 Configuring a Cluster of ASAs
ASA Hardware and Software Requirements
All units in a cluster:
•
•
•
•
•
•
Bootstrap Configuration
On each device, you configure a minimal bootstrap configuration including the cluster name, cluster
control link interface, and other cluster settings. The first unit on which you enable clustering typically
becomes the master unit. When you enable clustering on subsequent units, they join the cluster as slaves.
Master and Slave Unit Roles
One member of the cluster is the master unit. The master unit is determined by the priority setting in the
bootstrap configuration; the priority is set between 1 and 100, where 1 is the highest priority. All other
members are slave units. Typically, when you first create a cluster, the first unit you add becomes the
master unit simply because it is the only unit in the cluster so far.
You must perform all configuration (aside from the bootstrap configuration) on the master unit only; the
configuration is then replicated to the slave units. In the case of physical assets, such as interfaces, the
configuration of the master unit is mirrored on all slave units. For example, if you configure
GigabitEthernet 0/1 as the inside interface and GigabitEthernet 0/0 as the outside interface, then these
interfaces are also used on the slave units as inside and outside interfaces.
Some features do not scale in a cluster, and the master unit handles all traffic for those features. See the
"Centralized Features" section on page
Master Unit Election
Members of the cluster communicate over the cluster control link to elect a master unit as follows:
1.
2.
3.
Must be the same model with the same DRAM. You do not have to have the same amount of flash
memory.
Must run the identical software except at the time of an image upgrade. Hitless upgrade is supported
between any maintenance releases within a minor release (such as 9.0(1) to 9.0(4)), adjacent minor
releases (such as 9.0 to 9.1), and last minor release of previous version to the next major release
(such as 8.6 to 9.0, where 8.6 is the last version available for your model previous to 9.0).
Must be in the same geographical location.
Must be in the same security context mode, single or multiple.
(Single context mode) Must be in the same firewall mode, routed or transparent.
New cluster members must use the same SSL encryption setting (the ssl encryption command) as
the master unit for initial cluster control link communication before configuration replication.
When you enable clustering for a unit (or when it first starts up with clustering already enabled), it
broadcasts an election request every 3 seconds.
Any other units with a higher priority respond to the election request; the priority is set between 1
and 100, where 1 is the highest priority.
If after 45 seconds, a unit does not receive a response from another unit with a higher priority, then
it becomes master.
1-18.
Cisco ASA Series CLI Configuration Guide
Information About ASA Clustering
1-3