Interface allocation in ASA cluster multimode

Similar Messages

• ASA Cluster interface health check

  Hi,
  when deploying four ASA firewalls in cluster mode, the health check monitoring cannot be customized like for Active/Passive setup?
  For example, we don't want a FW member to leave the cluster if the management interface goes down.
  Another example would be that all the interfaces in the FWs are port-channels, so we don't want to have a unit removed from the cluster because 1 physical interface has gone down, and all the port channel still up.
  which are the commands to tune the interface health check when using four FWs in cluster mode?
  Because we assigned port channels as the cluster interface, will a FW member not be removed until the Port Channel goes down or anytime a phyical interface goes down the cluster member will be removed?
  Thank you very much.
  Regards,
  J

  Hi,
  By default in clustering healthchecking is enabled....
  Below mentioned excerpt from cisco document will be helpful.
  health-check
  To enab;e the cluster health check feature, use the health-check command in cluster group configuration mode. To the health check, use the no form of this command.
  health-check [ holdtime timeout ] [ vss-enabled ]
  no health-check [ holdtime timeout ] [ vss-enabled ]
   Syntax Description
  holdtime timeout
  (Optional) Determines the amount of time between keepalive or interface status messages, between .8 and 45 seconds. The default is 3 seconds.
  vss-enabled
  If you configure the cluster control link as an EtherChannel (recommended), and it is connected to a VSS or vPC pair, then you might need to enable the vss-enabled option. For some switches, when one unit in the VSS/vPC is shutting down or booting up, EtherChannel member interfaces connected to that switch may appear to be Up to the ASA, but they are not passing traffic on the switch side. The ASA can be erroneously removed from the cluster if you set the ASA holdtime timeout to a low value (such as .8 seconds), and the ASA sends keepalive messages on one of these EtherChannel interfaces. When you enable vss-enabled , the ASA floods the keepalive messages on all EtherChannel interfaces in the cluster control link to ensure that at least one of the switches can receive them.
   Command DefaultHealth check is enabled by default, with a holdtime of 3 seconds.
  Regards
  Karthik

• SIP inspection on ASA cluster

  Hi 
  I have set up clustering on 2 ASA 5555-x firewalls and just saw on the cisco site that SIP inspection is not supported. My organization provides a voip solution that requires SIP. Does anyone know a work around for SIP on an ASA cluster?
  I look forward to your response.

  Hi Smetieh,
  You need a policy inspection for sip, please follow the example below.
  class-map cls-SIP
   match default-inspection-traffic
  policy-map pmap-SIP
   description My-SIP Policy
   class cls-SIP
    inspect sip 
  service-policy pmap-SIP interface outside
  Hope this helps.
  Thanks
  Rizwan Rafeek.

• Include multiple sub-interfaces in Cisco ASA for VPN tunnel

  I am trying to create a VPN tunnel between two Cisco ASAs where one ASA has multiple sub-interfaces.
  Say, In Cisco ASA 5550(in datacentre), I created multiple subinterfaces with VLAN ID as below:
  Inside, int0/1 : 10.1.1.0/24
  DMZ, int0/1.100: 10.1.100.0/24 (VLAN 100)
  Production, int 0/1.101 : 10.1.101.0/24 (VLAN 101)
  Management, int 0/1.102: 10.1.102.0/24 (VLAN 102)
  And another Cisco ASA 5505 is only configured with 1 x inside interface Inside, int 0/1: 192.168.1.0/24
  So far, I have only been able to provide outside access to one of the sub-interfaces as NAT rule on inside interface didn't work for VLANs. Hence had to issue Global NAT rule to be applied on Production subinterface so that production VLAN can have outside access. I have managed to establish VPN tunnel between two ASAs on Production sub-interface only, Source interface = Production subinterface
  Additional settings:
  Have ACL to allow all sub interfaces to access outsite ( lower security level)
  NAT rules is configured on Production subinterface with Source NAT Type as Dynamic PAT; when this was configured with source interface as inside, PCs behind various VLAN coun't access internet. 
  I want to establish a site-to-site VPN tunnel with multiple sub-interfaces of Cisco ASA 5550 to Cisco ASA 5505. Would you please suggest what I am missing in my configuration? I need to be able to access multiple VLANs of datacentre from remote site.

  I am trying to create a VPN tunnel between two Cisco ASAs where one ASA has multiple sub-interfaces.
  Say, In Cisco ASA 5550(in datacentre), I created multiple subinterfaces with VLAN ID as below:
  Inside, int0/1 : 10.1.1.0/24
  DMZ, int0/1.100: 10.1.100.0/24 (VLAN 100)
  Production, int 0/1.101 : 10.1.101.0/24 (VLAN 101)
  Management, int 0/1.102: 10.1.102.0/24 (VLAN 102)
  And another Cisco ASA 5505 is only configured with 1 x inside interface Inside, int 0/1: 192.168.1.0/24
  So far, I have only been able to provide outside access to one of the sub-interfaces as NAT rule on inside interface didn't work for VLANs. Hence had to issue Global NAT rule to be applied on Production subinterface so that production VLAN can have outside access. I have managed to establish VPN tunnel between two ASAs on Production sub-interface only, Source interface = Production subinterface
  Additional settings:
  Have ACL to allow all sub interfaces to access outsite ( lower security level)
  NAT rules is configured on Production subinterface with Source NAT Type as Dynamic PAT; when this was configured with source interface as inside, PCs behind various VLAN coun't access internet. 
  I want to establish a site-to-site VPN tunnel with multiple sub-interfaces of Cisco ASA 5550 to Cisco ASA 5505. Would you please suggest what I am missing in my configuration? I need to be able to access multiple VLANs of datacentre from remote site.

• Monitor interface vlan with ASA 5505 in HA Active/Standby Deployment

  Hi,
  I doing HA Active/Standby Deployment with two ASA 5505. ASA documents mention that it will monitor all physical interfaces itself to decide a failover. But in my case I configure vlan interface instead of physical interface. My inside interfaces in each ASA connect to two diferent Switches. My question is if one inside physical interface (lead to one switch) down, does the failover occur? I suspect it does not, but I would like to make sure before doing HA.
  Any replies will be appreciated.

  Hi, I usually instead of doing a cross-connect on the inside leave it to something like A-to-A and B-to-B if the switches are not doing VSS or VPC. So I would just connect eth0/7 from ASA-A to SW-A and similar on ASA-B. This makes it cleaner.
  You can then control if you want to failover if the PO goes down or any 1 of the 2 interfaces in the PO go down.
  I am not saying that your above design is invalid, but I have usually done this in the past.

• Trying to figure out whether I can use an ASA cluster in Transparent mode to facilitate VRF based network ??

  Hi Guys,
  I had to re-post this here because I did not get any comments earlier.. hopefully I'll get something here.. :)
  I'm investigating the ways that I can use 2 x ASA (5525x) to accommodate Multi-tenancy situation with overlapping addresses. Unfortunately in this particular scenario we have to stick with 5525x firewalls.
  The ASAs are going to be placed in north-south traffic path between 2 routers and these routers need to be configured with multiple VRFs to segregate the traffic for each tenant with overlapping IP subnets ( We are not looking at NAT as a workaround for the time being).
  As we know, this ASA model won't support VRFs so we can't use the ASA as a intermediary routing hop and therefore this is not an option.. and using security contexts per VRF seems not scale-able enough (correct me if I'm wrong). So my thinking is that, if we put the ASAs in to the transparent mode and just use the ASAs as a layer 2 interconnect (configured with different VLANs connecting VRFs served by top and bottom routers)  I should be able to go up to maximum of 50 VRFs (since 5525x only supports 200 VLANs).  
  I'm also planning to use the 2 ASAs in a cluster mode to aggregate the bandwidth of both ASAs for better throughput.
  So I need to clarify following with you guys.. 
  1) Can I actually do this or am I missing something.
  2) Are there any limitations that I might run in to with this setup
  3) Is there anyone out there who's doing the same thing or can you think of a better way to tackle this scenario (with same hardware and requirements)
  4) Instead of using clustering, can I use simple Active/Stanby pare and still configure transparent mode and use it that way ?
  Appreciate your input.
  Thanks
  Shamal 

  There is a limitation on how many context you can have, which depends on the license you have.  This is quite possible with ASA multi routed mode and even with multi transparent mode.  You can have overlapping ip in each context without the need of using nat as long as you have unique mac address for each sub interface.
  Thanks

• IP Address of Slave Unit in ASA Cluster

  I have a pair of ASA 5585s that I've configured in a cluster.
  FWL1# sho cluster info
  Cluster HQASA: On
      Interface mode: spanned
      This is "FWL1" in state MASTER
          ID        : 0
          Version   : 9.0(2)
          Serial No.: <removed>
          CCL IP    : <removed>.1
          CCL MAC   : 44d3.ca34.fae2
          Last join : 09:05:02 UTC May 10 2013
          Last leave: N/A
  Other members in the cluster:
      Unit "FWL2" in state SLAVE
          ID        : 1
          Version   : 9.0(2)
          Serial No.: <removed>
          CCL IP    : <removed>.2
          CCL MAC   : 30e4.db19.6636
          Last join : 09:13:35 UTC May 10 2013
          Last leave: N/A
  The problem is that when I SSH into the slave unit's IP address, it logs me into the master unit. (SSHing to master unit's IP address also logs me into the master unit, as expected.) Show version shows the serial number of the master unit (when connecting to slave unit's IP address).
  The management addresses are created using the recommended method of creating a pool:
  ip local pool mgmtpool 172.16.1.202-172.16.1.209
  interface Management0/0
  management-only
  nameif mgmt
  security-level 100
  ip address 172.16.1.201 255.255.255.0 cluster-pool mgmtpool
  Has anyone seen this? How do I connect to the slave unit(s)?

  Hello,
  The cluster Master will hold the system IP and one IP from the pool. In your case system IP is 172.16.1.201 & Master would have been assigned 172.16.1.202.
  To SSH to Slave unit of cluster, you need to use IP address 172.16.1.203.
  You can check the same by issuing "cluster exec show ip".
  Thanks
  Iyer

• Problem with receiving of the UDP multicasting on multiple interfaces in the W2K12 cluster

  Hi,
  I have my .NET application which receives the UDP multicasting communication. It works fine until it is deployed on a W2K12 cluster. Some multicast groups are still available and some are not in the cluster. The
  problem is caused by the cluster which creates a virtual interface for a inter-node communication. When the cluster is on and my app is trying to subscibe to the affected group then IGMP packets are routed to the cluster's
  virtual interface where the multicast communication is not available. When the cluster (cluster service) is off all groups are available and IGMP is routed to a right interface.
  I also have a different application which is not based on .NET and it receives all multicast groups in any deployment (same W2K12 clustered server). So, I guess that in my app I have to tell to the socket somehow, which local interface should
  be used for a particular multicast group. In my app I use code below for a group subscribtion, but I still can't manage routing of IGMP to a right local interface. Can you help me?
  As you can see in the code example I try to mapp a group to a local interface using its IP and index using MulticastOption class, but it has no effect. Different interface (cluster's virtual interface) is used for a IGMP
  subscribtion. I also tried to bind\set local interface to Any, but without success.
  It seems that there is some OS logic which overrides my setup. But, it must be possible to do the socket setup correctlly because non .NET application works fine.
  Thanks.
  Regards,
  Marek
  public void Start(string[] args)
  //args[0] - multicast group
  //args[1] - multicast port
  //args[2] - local interface IP
  //args[3] - local interface index
  UdpClient udp = new UdpClient();
  udp.Client.SetSocketOption(SocketOptionLevel.Socket, SocketOptionName.ReuseAddress, true);
  udp.Client.Bind(new IPEndPoint(IPAddress.Parse(args[2]), Convert.ToInt32(args[1])));
  MulticastOption mcastOption = new MulticastOption(IPAddress.Parse(args[0]));
  mcastOption.LocalAddress = IPAddress.Parse(args[2]);
  mcastOption.InterfaceIndex = int.Parse(args[3]);
  udp.Client.SetSocketOption(SocketOptionLevel.IP, SocketOptionName.AddMembership, mcastOption);
  udp.BeginReceive(new AsyncCallback(Receive), udp);

  I don’t know if it will help you but I can illustrate my problem on the following prints from netsh and route tools. First print from netsh shows that the affected group 224.0.46.232 is assigned to interface 20. Second print shows
  that interface 20 is Microsoft Failover Cluster Virtual Adapter where multicast communication is not available.
  When the test app, which works fine, is used than these prints show that group 224.0.46.232 is assigned to interface 19 - Microsoft Network Adapter Multiplexor Driver, where multicast communication is available.
  So, the question is how to manage these „prints“ to requested setup in .NET.
  Regards,
  Marek
  C:\Windows\system32>netsh interface ip show joins
  Interface 1: Loopback Pseudo-Interface 1
  Scope       References  Last  Address
  0                    0  Yes   239.255.255.250
  Interface 20: Local Area Connection* 12
  Scope       References  Last  Address
  0                    0  Yes   224.0.0.1
  0                    1  Yes   224.0.0.252
  0                    1  Yes   224.0.46.232
  Interface 19: Public
  Scope       References  Last  Address
  0                    0  No    224.0.0.1
  0                    1  No    224.0.0.252
  0                    0  Yes   239.255.255.250
  C:\Windows\system32>route print
  ===========================================================================
  Interface List
  19...3c d9 2b ef 8a ec ......Microsoft Network Adapter Multiplexor Driver
  20...02 91 08 09 1a ae ......Microsoft Failover Cluster Virtual Adapter
    1...........................Software Loopback Interface 1
  16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
  21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
  ===========================================================================

• Load Balancing using Virtual IP on DMZ interface of 5520 ASA

  We want to achieve a load balancing scenario using Virtual IP on DMZ interface on a Cisco ASA 5520.
  The IPs we are going to use on DMZ are 10.15.1.2 and 10.15.1.3
  These IPs are going to be NATted to all inside IPs.
  Lets say our outside IP is X.X.X.X
  This IP points to 10.15.1.2 and 10.15.1.3 with .2 being the primary and .3 being the secondary.
  When I hit the outside IP, it should point me to .2 and that .2 should take me to the inside IPs.
  I need configuration assistance with that.

  Hi Pratik,
  The ASA does not support having 1 global/translated IP address on the outside mapped to multiple local/real IP addresses on the DMZ. If it did, the ASA would have no way of deciding if traffic destined to X.X.X.X is really meant for 10.15.1.2 or 10.15.1.3. For this scenario, you should use a dedicated load balancer or a router that supports policy-based routing.
  -Mike

• High receive discards on Sub-Interfaces in Cisco ASA.

  Hello Everyone,
  Over the past few weeks Solarwinds is reporting high receive discards on two of our subinterfaces created on Cisco ASA. No errors are observed on other subinterfaces. I checked the trunk port interface on the switch for any errors but found none. These errors are visible only under subinterface. What could be the issue?
  Regards

  I have the same problem too.
  I have Cisco ASA 5515  with the next version:
  Cisco Adaptive Security Appliance Software Version 9.1(4)
  My interface configuration is the next:
  PortChannel5 made with    Interface GigabitEthernet 0/2 + Interface GigabitEthernet 0/3
  Subinterfaces in PortChannel5
  Nagios Graphs shows:
  - many input discards in virtual subinterfaces
  - many output discards in interface Gi0/2 and Gi0/3
  - PortChannel5 output discards is the sum of discards in interface Gi0/2 and Gi0/3
  if I run the snmpwalk command against the ASA the following results were obtained:
  Interface description
  [user@FIREWALL01 ~]$ snmpwalk -v 2c -c XXXXXXX 10.255.16.1 | grep ifDescr
  IF-MIB::ifDescr.2 = STRING: Adaptive Security Appliance 'asa_mgmt_plane' interface
  IF-MIB::ifDescr.3 = STRING: Adaptive Security Appliance 'Internet' interface
  IF-MIB::ifDescr.4 = STRING: Adaptive Security Appliance 'LAN_MPLS' interface
  IF-MIB::ifDescr.5 = STRING: Adaptive Security Appliance 'GigabitEthernet0/2' interface
  IF-MIB::ifDescr.6 = STRING: Adaptive Security Appliance 'GigabitEthernet0/3' interface
  IF-MIB::ifDescr.7 = STRING: Adaptive Security Appliance 'stateifha' interface
  IF-MIB::ifDescr.8 = STRING: Adaptive Security Appliance 'statelink' interface
  IF-MIB::ifDescr.9 = STRING: Adaptive Security Appliance 'Internal-Data0/1' interface
  IF-MIB::ifDescr.10 = STRING: Adaptive Security Appliance 'cplane' interface
  IF-MIB::ifDescr.11 = STRING: Adaptive Security Appliance 'mgmt_plane_int_tap' interface
  IF-MIB::ifDescr.12 = STRING: Adaptive Security Appliance 'management' interface
  IF-MIB::ifDescr.13 = STRING: Adaptive Security Appliance 'Virtual254' interface
  IF-MIB::ifDescr.14 = STRING: Adaptive Security Appliance 'Port-channel5' interface
  IF-MIB::ifDescr.15 = STRING: Adaptive Security Appliance 'VLAN_USGLB_OOB' interface
  IF-MIB::ifDescr.16 = STRING: Adaptive Security Appliance 'VLAN_USGLBHSTHYP_MGNT' interface
  IF-MIB::ifDescr.17 = STRING: Adaptive Security Appliance 'VLAN_USGLBVRM_OM' interface
  IF-MIB::ifDescr.18 = STRING: Adaptive Security Appliance 'VLAN_USGLBVRM_MGNTOM' interface
  IF-MIB::ifDescr.19 = STRING: Adaptive Security Appliance 'VLAN_USGLBVRM_MGNT' interface
  IF-MIB::ifDescr.20 = STRING: Adaptive Security Appliance 'VLAN_USGLBVRM_SRVF' interface
  IF-MIB::ifDescr.21 = STRING: Adaptive Security Appliance 'VLAN_USGLBVRM_SRVB' interface
  IF-MIB::ifDescr.22 = STRING: Adaptive Security Appliance 'VLAN_USGLB_DMZ' interface
  Input discards
  [user@FIREWALL01 ~]$ snmpwalk -v 2c -c xxxxxxxxxx 10.255.16.1 | grep ifInDiscards
  IF-MIB::ifInDiscards.2 = Counter32: 0
  IF-MIB::ifInDiscards.3 = Counter32: 0
  IF-MIB::ifInDiscards.4 = Counter32: 0
  IF-MIB::ifInDiscards.5 = Counter32: 0
  IF-MIB::ifInDiscards.6 = Counter32: 0
  IF-MIB::ifInDiscards.7 = Counter32: 0
  IF-MIB::ifInDiscards.8 = Counter32: 0
  IF-MIB::ifInDiscards.9 = Counter32: 0
  IF-MIB::ifInDiscards.10 = Counter32: 0
  IF-MIB::ifInDiscards.11 = Counter32: 0
  IF-MIB::ifInDiscards.12 = Counter32: 0
  IF-MIB::ifInDiscards.13 = Counter32: 0
  IF-MIB::ifInDiscards.14 = Counter32: 0
  IF-MIB::ifInDiscards.15 = Counter32: 12481926
  IF-MIB::ifInDiscards.16 = Counter32: 9927941
  IF-MIB::ifInDiscards.17 = Counter32: 134120211
  IF-MIB::ifInDiscards.18 = Counter32: 124695686
  IF-MIB::ifInDiscards.19 = Counter32: 27081148
  IF-MIB::ifInDiscards.20 = Counter32: 2941537222
  IF-MIB::ifInDiscards.21 = Counter32: 32714719
  IF-MIB::ifInDiscards.22 = Counter32: 4008856
  Output discards
  [user@FIREWALL01 ~]$ snmpwalk -v 2c -c xxxxxxxxxxxx 10.255.16.1 | grep ifOutDiscards
  IF-MIB::ifOutDiscards.2 = Counter32: 0
  IF-MIB::ifOutDiscards.3 = Counter32: 0
  IF-MIB::ifOutDiscards.4 = Counter32: 0
  IF-MIB::ifOutDiscards.5 = Counter32: 3635696
  IF-MIB::ifOutDiscards.6 = Counter32: 119099
  IF-MIB::ifOutDiscards.7 = Counter32: 0
  IF-MIB::ifOutDiscards.8 = Counter32: 0
  IF-MIB::ifOutDiscards.9 = Counter32: 0
  IF-MIB::ifOutDiscards.10 = Counter32: 0
  IF-MIB::ifOutDiscards.11 = Counter32: 0
  IF-MIB::ifOutDiscards.12 = Counter32: 0
  IF-MIB::ifOutDiscards.13 = Counter32: 0
  IF-MIB::ifOutDiscards.14 = Counter32: 3754795
  IF-MIB::ifOutDiscards.15 = Counter32: 0
  IF-MIB::ifOutDiscards.16 = Counter32: 0
  IF-MIB::ifOutDiscards.17 = Counter32: 0
  IF-MIB::ifOutDiscards.18 = Counter32: 0
  IF-MIB::ifOutDiscards.19 = Counter32: 0
  IF-MIB::ifOutDiscards.20 = Counter32: 0
  IF-MIB::ifOutDiscards.21 = Counter32: 0
  IF-MIB::ifOutDiscards.22 = Counter32: 0
  Output discards may be normals, but I don't understand input discards in virtual subinterfaces of PortChannel5
  By the other hand, show interface command in subinterfaces don't show error or discards packets
  FIREWALL01/pri/act#    sh interface VLAN_USGLBVRM_SRVB detail 
  Interface Port-channel5.1020 "VLAN_USGLBVRM_SRVB", is up, line protocol is up
    Hardware is EtherChannel/LACP, BW 2000 Mbps, DLY 10 usec
          VLAN identifier 1020
          Description: VLAN_USGLBVRM_SRVB
          MAC address 6073.5c69.0917, MTU 1500
          IP address 10.255.19.65, subnet mask 255.255.255.192
    Traffic Statistics for "VLAN_USGLBVRM_SRVB":
          42067433644 packets input, 45125599467459 bytes
          28153119062 packets output, 8866514693262 bytes
          32715765 packets dropped
    Control Point Interface States:
          Interface number is 21
          Interface config status is active
          Interface state is active
    Control Point Vlan1020 States:
          Interface vlan config status is active
          Interface vlan state is UP
  FIREWALL01/pri/act#    sh interface VLAN_USGLBVRM_SRVF detail 
  Interface Port-channel5.1019 "VLAN_USGLBVRM_SRVF", is up, line protocol is up
    Hardware is EtherChannel/LACP, BW 2000 Mbps, DLY 10 usec
          VLAN identifier 1019
          Description: VLAN_USGLBVRM_SRVF
          MAC address 6073.5c69.0917, MTU 1500
          IP address 10.255.19.1, subnet mask 255.255.255.192
    Traffic Statistics for "VLAN_USGLBVRM_SRVF":
          30475814698 packets input, 14615432248013 bytes
          27472348465 packets output, 20872697455933 bytes
          2941588838 packets dropped
    Control Point Interface States:
          Interface number is 20
          Interface config status is active
          Interface state is active
    Control Point Vlan1019 States:
          Interface vlan config status is active
          Interface vlan state is UP
  FIREWALL01/pri/act#
  Can anyone explain why so many input errors appear in the subinterfaces?
  Thanks in advance!

• ASA cluster with IPS

  Hi,
  I am planning to cluster 4 ASA firewalls between 2 DCs.
  I would like to know if the ASA IPS appliance will also be clustered with the 4 ASAs or I will need to buy the ASA IPS hardware module?
  In case I will need to buy the ASA IPS hardware module it will run as unique module or it could also be clustered?
  Thank you very much for the help.
  Regards,
  J

  The Documentation states that IPS is handled individually per unit. So each unit will have it's own IPS and protects the traffic it sees. Without a config-replication available for IPS, you should plan to use an enterprise Management-system like CSM to make sure all units have the same config.

• ASA Cluster Key

  Hello,
  My customer has lost the key for cluster group os ASA.
  What is the impact of remove key in cluster group of ASA?. If i disable cluster in all slave and remove in the master i think that i will not have service disruption. Any help will be appreciated
  Regards.

  I don't have a cluster handy to check, but have your tried using "more system:running-config" to see if the cluster key will print out in plaintext with that command? I've used that often to get plaintext pre-shared keys for VPNs.
  If you let all the active connections that went through the slaves re-establish via the master it should be minimally disruptive. I think you'll still lose some TCP connections though end users might not notice it.
  I'd open up a TAC case to be safe.

• Security Manager claims missing interface name on ASAs physical interface of vlan trunks

  Hi
  I've got a CSM who manages ASA firewalls. When deploying changes, it claims that the physical interface has no name and ACL on it. Which is right but also it's part of the design. IPs and names are only on the vlan sub interfaces and not on the physical interface.
  Is there a way to get rid of the nerving warning of the CSM as he comes up on every deployment?
  Kind regards
  Roberto

  Thanks for sharing this info. May be useful to someone on this migration path.
  Rasika

• Changing hostname in asa cluster

  Hi,
  I have 2 cisco asa 5540's configured in active/standby mode. I need to change the hostname and domain name as per our standards. Does changing the hostname has any impact on the traffic flow?
  Thanks,
  Sridhar

  No, it won't have any impact on the traffic flow.

• Sh shun statistics show all interfaces OFF at ASA.

  Hi,
  I have ASA 5510 (8.0.2), ASDM 6.1 and ASA-SSM-10 6.1.
  When I run "sh shun statistics" at ASA, I receive the folloing:
  outside=OFF, cnt=351
  inside_backup=OFF, cnt=0
  dmz=OFF, cnt=26059
  inside=OFF, cnt=18414
  Does it mean that Shunning is not working. If so, how can I enable it?
  Thanks in advance for the help.
  Semih

  It means you are currently not shunning a host.
  Try putting a manual shun in and check then.
  Also use "sh shun" to show you current shuns.
  I hope it helps.
  PK