Cisco Cisco ASA 5580 Adaptive Security Appliance Troubleshooting Guide
Conventions
Refer to Cisco Technical Tips Conventions for information on document conventions.
Background Information
Clustering lets you combine multiple physical ASAs into one logical unit, which provides increased
throughput and redundancy. For more information on clustering, refer to the Cisco ASA Series CLI
Configuration Guide, 9.0.
throughput and redundancy. For more information on clustering, refer to the Cisco ASA Series CLI
Configuration Guide, 9.0.
In this scenario, clustering has been configured and enabled on the master ASA; on the slave ASA, clustering
has been configured but not enabled.
has been configured but not enabled.
Problem
When you enable clustering on the slave ASA, it is disabled immediately with a remote procedure call (RPC)
error message . This is an example of the error message:
error message . This is an example of the error message:
ASA2/ClusterDisabled(config)# cluster group TEST−Group
ASA2/ClusterDisabled(cfg−cluster)# enable as−slave
INFO: This unit will be enabled as a cluster slave without sanity check and confirmation.
ASA2/ClusterDisabled(cfg−cluster)# cluster_ccp_make_rpc_call failed to clnt_call. msg is
CCP_MSG_REGISTER, ret is RPC_SYSTEMERROR
Cluster disable is performing cleanup..done.
All data interfaces have been shutdown due to clustering being disabled. To recover either
enable clustering or remove cluster group configuration.
One possible reason for this error is an SSL cipher suite mismatch between the master and the slave ASAs.
Clustering requires that there be at least one matching SSL cipher suite between the master and the slave unit
to be added to the cluster. Refer to this requirement in the Cisco ASA Series CLI Configuration Guide, 9.0:
Clustering requires that there be at least one matching SSL cipher suite between the master and the slave unit
to be added to the cluster. Refer to this requirement in the Cisco ASA Series CLI Configuration Guide, 9.0:
New cluster members must use the same SSL encryption setting (the ssl encryption command) as
the master unit.
In the mismatch scenario, a syslog message is logged :
%ASA−7−725014: SSL lib error. Function: SSL23_GET_SERVER_HELLO Reason: sslv3 alert
handshake failure
An example of a mismatch is this encryption on the master ASA:
ASA1/master# sh run all ssl
ssl server−version any
ssl client−version any
ssl encryption rc4−sha1 aes128−sha1 aes256−sha1 3des−sha1
and this encryption on the slave ASA to be added to the cluster:
ASA2/ClusterDisabled# sh run all ssl
ssl server−version any
ssl client−version any
ssl encryption des−sha1
This mismatch commonly occurs when a strong encryption (3DES/AES) license has not been installed on the
slave ASA. The list of cipher suites on the slave ASA defaults to des−sha1 and is not updated when the
3DES/AES license is added to the slave ASA.
slave ASA. The list of cipher suites on the slave ASA defaults to des−sha1 and is not updated when the
3DES/AES license is added to the slave ASA.