94 Days to CCIE SEC v6.1 Lab

January 9, 2026 / Balaji Bandi / 0 Comments

ASA and FTD Clustering

Today we are going to use 2 ASAs, cluster them, and run the tests.

Per the prerequisites, the ASA must be multi-mode; configure multiple modes. The ASA will make the changes and reboot.

we are going to use below topology :

On the switch, we created a Port-channel and used a sub-interface with VLAN tagging.

SW1 – Configuration

config t
!
vlan 2-4
!
interface port-channel 1
switch trunk encapsulation dot1q
switchport mode trunk
switch trunk allowed vlan 2-4
shutdown
!
interface range eth0/0-2
switch trunk encapsulation dot1q
switchport mode trunk
switch trunk allowed vlan 2-4
channel-group 1 mode active
no shutdown
!
port-channel load-balance src-dst-ip
!
interface port-channel 1
no shut
!
end
!
wr

ASA1 and ASA2 Configuration :

ASA1 and ASA2:

config t
!
mode Multiple
! (Both ASA reboot)

ASA1

interface ethernet 2
no shutdown
interface ethernet 5
no shutdown
cluster interface-mode spanned force
cluster group cisco
local-unit ASA1
cluster-interface ethernet 5 ip 192.168.100.1 255.255.255.0
priority 1
mtu cluster 9000
mac-address auto
!

interface port-channel 1
port-channel span-cluster
!
interface eth0
channel-group 1 mode active
no shut
!
interface eth1
channel-group 1 mode active
no shut
!
interface port-channel 1.2
vlan 2
interface port-channel 1.3
vlan 3
interface port-channel 1.4
vlan 4
!
admin-context admin
context admin
config-url disk0:admin.cfg
allocate-interface eth2 management
allocate-interface port-channel1.2
allocate-interface port-channel1.3
allocate-interface port-channel1.4
!
cluster group cisco
enable

wr

ASA2

interface ethernet 2
no shutdown
interface ethernet 5
no shutdown
cluster interface-mode spanned force
cluster group cisco
local-unit ASA2
cluster-interface ethernet 5 ip 192.168.100.2 255.255.255.0
priority 2
mtu cluster 9000
mac-address auto
!
cluster group cisco
enable as-slave
!
wr

You will notice ASA1 and ASA 2 message when they form Cluster :

ASA1

Cluster unit ASA1 transitioned from DISABLED to MASTER

Beginning configuration replication to Slave ASA2
End Configuration Replication to slave.

ASA2

End configuration replication from Master.

Cluster unit ASA2 transitioned from DISABLED to SLAVE

Cluster Verifications :

Switch we see port-channel up with LACP :

show cluster info
ASA1

ASA2

Configuring inside and outside configuration :

changeto context admin

interface port-channel1.2
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface port-channel1.4
nameif outside
security-level 0
ip address 172.26.10.1 255.255.255.0
!

Happy Labingggggggggggggggggg!