Cisco Cisco Email Security Appliance C680 User Guide
8-19
Cisco IronPort AsyncOS 7.6 for Email Advanced Configuration Guide
OL-25137-01
Chapter 8 Centralized Management
Cluster Communication
Machines within a cluster communicate with each other using a mesh network. By default, all machines
connect to all other machines. If one link goes down, other machines will not be prevented from
receiving updates.
connect to all other machines. If one link goes down, other machines will not be prevented from
receiving updates.
By default, all intra-cluster communication is secured with SSH. Each machine keeps an in-memory
copy of the route table and makes in-memory changes as necessary if links go down or up. Each machine
also performs a periodic “ping” (every 1 minute) of every other machine in the cluster. This ensures
up-to-date link status and maintains the connections in case a router or NAT has a timeout.
copy of the route table and makes in-memory changes as necessary if links go down or up. Each machine
also performs a periodic “ping” (every 1 minute) of every other machine in the cluster. This ensures
up-to-date link status and maintains the connections in case a router or NAT has a timeout.
Note
The connection between two clustered appliances may be dropped if one of the appliances attempts to
open more than the maximum number of SSH connections allowed. The appliances automatically rejoin
the cluster within seconds and no manual configuration is needed.
open more than the maximum number of SSH connections allowed. The appliances automatically rejoin
the cluster within seconds and no manual configuration is needed.
DNS and Hostname Resolution
DNS is required to connect a machine to the cluster. Cluster communication is normally initiated using
the DNS hostnames of the machines (not the hostname of an interface on the machine). A machine with
an unresolvable hostname would be unable to actually communicate with any other machines in the
cluster, even though it is technically part of the cluster.
the DNS hostnames of the machines (not the hostname of an interface on the machine). A machine with
an unresolvable hostname would be unable to actually communicate with any other machines in the
cluster, even though it is technically part of the cluster.
Your DNS must be configured to have the hostname point to the correct IP interface on the appliance
that has SSH or CCS enabled. This is very important. If DNS points to another IP address that does not
have SSH or CCS enabled it will not find the host. Note that centralized management uses the “main
hostname,” as set with the
that has SSH or CCS enabled. This is very important. If DNS points to another IP address that does not
have SSH or CCS enabled it will not find the host. Note that centralized management uses the “main
hostname,” as set with the
sethostname
command, not the per-interface hostname.
If you use an IP address to connect to another machine in the cluster, the machine you connect to must
be able to make a reverse look up of the connecting IP address. If the reverse look up times out because
the IP address isn’t in the DNS, the machine cannot connect to the cluster.
be able to make a reverse look up of the connecting IP address. If the reverse look up times out because
the IP address isn’t in the DNS, the machine cannot connect to the cluster.
Clustering, Fully Qualified Domain Names, and Upgrading
DNS changes can cause a loss of connectivity after upgrading AsyncOS. Please note that if you need to
change the fully qualified domain name of a machine in the cluster (not the hostname of an interface on
a machine in the cluster), you must change the hostname settings via
change the fully qualified domain name of a machine in the cluster (not the hostname of an interface on
a machine in the cluster), you must change the hostname settings via
sethostname
and update the DNS
record for that machine prior to upgrading AsyncOS.
Cluster Communication Security
Cluster Communication Security (CCS) is a secure shell service similar to a regular SSH service. Cisco
implemented CCS in response to concerns regarding using regular SSH for cluster communication. SSH
communication between two machines opens regular logins (admin, etc.) on the same port. Many
administrators prefer not to open regular logins on their clustered machines.
implemented CCS in response to concerns regarding using regular SSH for cluster communication. SSH
communication between two machines opens regular logins (admin, etc.) on the same port. Many
administrators prefer not to open regular logins on their clustered machines.
Tip: never enable Cluster Communication Services, even though it is the default, unless you have
firewalls blocking port 22 between some of your clustered machines. Clustering uses a full mesh of SSH
tunnels (on port 22) between all machines. If you have already answered Yes to enabling CCS on any
machine, remove all machines from the cluster and start again. Removing the last machine in the cluster
removes the cluster.
firewalls blocking port 22 between some of your clustered machines. Clustering uses a full mesh of SSH
tunnels (on port 22) between all machines. If you have already answered Yes to enabling CCS on any
machine, remove all machines from the cluster and start again. Removing the last machine in the cluster
removes the cluster.