Cisco Cisco ASA 5525-X Adaptive Security Appliance Guia De Resolução De Problemas
Caveat for Reboot Scenarios
In a reboot situation with two ASAs in a load−balancing cluster:
Either ASA−1 or ASA−2 was the master before the reboot.
•
ASA−1 is rebooted.
•
ASA−2 becomes the master if it was not the master previously.
•
ASA−1 simply joins the cluster as a slave after reboot.
•
The load−balancing algorithm might be affected by a configuration of the switch where the outside interface
of the cluster devices are connected also. For example, a Spanning−Tree algorithm might cause connectivity
delay when the device that is connected to the switch is rebooted.
of the cluster devices are connected also. For example, a Spanning−Tree algorithm might cause connectivity
delay when the device that is connected to the switch is rebooted.
Tip: The spanning−tree port fast command helps to speed up the process.
In some cases, a newly rebooted ASA that has load balancing enabled might attempt to become the master
device (even if a master device already exists) because it cannot reach the current master device due to a
connectivity delay in the switch. When there is a mastership conflict detected as a result of ARP collision, the
ASA with a low Media Access Control (MAC) address wins, while the ASA with a higher MAC address
gives up the master device role.
device (even if a master device already exists) because it cannot reach the current master device due to a
connectivity delay in the switch. When there is a mastership conflict detected as a result of ARP collision, the
ASA with a low Media Access Control (MAC) address wins, while the ASA with a higher MAC address
gives up the master device role.
Master Reelection Process
There are two situations that cause a reelection of the master device.
Master Device Removed from the Cluster
When you disable the feature on the ASA, a broadcast message is sent to all of the cluster members in order to
inform of the change, and the previously described election process is performed.
inform of the change, and the previously described election process is performed.
Master Device does Not Respond to Cluster Member Hello Messages
If the master device does not respond to a cluster member Hello message, it takes an ASA cluster member
approximately 20 seconds to detect that the master is no longer present. The Hello messages are sent every
five seconds (not configurable). If cluster members do not receive a response from the master device after four
Hello messages, then the election process is triggered.
approximately 20 seconds to detect that the master is no longer present. The Hello messages are sent every
five seconds (not configurable). If cluster members do not receive a response from the master device after four
Hello messages, then the election process is triggered.
Troubleshoot
Note: Refer to the Important Information on Debug Commands Cisco article before you use debug
commands.
commands.
These debug commands can be useful with attempts to troubleshoot issues with your system:
debug fsm 255 − Use this command in order to activate the general Finite State Machine debug. Enter
the no debug all command in order to deactivate.
the no debug all command in order to deactivate.
•
debug menu vpnlb 3 − Use this command in order to activate the VPN load balancing debug trace.
Enter the debug menu vpnlb 3 command once again in order to deactivate.
Enter the debug menu vpnlb 3 command once again in order to deactivate.
•