Guest

Cisco Adaptive Security Appliance (ASA) Software

Clustering Disabled on Slave ASA (RPC_SYSTEMERROR)

Techzone Article content

Document ID: 116108

Updated: May 09, 2013

Contributed by Prapanch Ramamoorthy, Cisco TAC Engineer.

   Print

Introduction

This document describes how to resolve an error message that might appear when you attempt to add a new slave Adaptive Security Appliance (ASA) unit to an existing cluster of ASAs.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

  • Basic knowledge of clustering.
  • Basic knowledge of how to configure clustering on the Adaptive Security Appliance (ASA).
  • Basic knowledge of the Secure Socket Layer (SSL) handshake.

Components Used

The information in this document is based on these software and hardware versions:

  • ASA software version 9.0 or later.
  • ASA 5580 or ASA5585-X series appliances.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for information on document conventions.

Background Information

Clustering lets you combine multiple physical ASAs into one logical unit, which provides increased throughput and redundancy. For more information on clustering, refer to the Cisco ASA Series CLI Configuration Guide, 9.0.

In this scenario, clustering has been configured and enabled on the master ASA; on the slave ASA, clustering has been configured but not enabled.

Problem

When you enable clustering on the slave ASA, it is disabled immediately with a remote procedure call (RPC) error message . This is an example of the error message:

ASA2/ClusterDisabled(config)# cluster group TEST-Group
ASA2/ClusterDisabled(cfg-cluster)# enable as-slave
INFO: This unit will be enabled as a cluster slave without sanity check and confirmation.
ASA2/ClusterDisabled(cfg-cluster)# cluster_ccp_make_rpc_call failed to clnt_call. msg is
CCP_MSG_REGISTER, ret is RPC_SYSTEMERROR
Cluster disable is performing cleanup..done.
All data interfaces have been shutdown due to clustering being disabled. To recover either
enable clustering or remove cluster group configuration.

One possible reason for this error is an SSL cipher suite mismatch between the master and the slave ASAs. Clustering requires that there be at least one matching SSL cipher suite between the master and the slave unit to be added to the cluster. Refer to this requirement in the Cisco ASA Series CLI Configuration Guide, 9.0:

New cluster members must use the same SSL encryption setting (the ssl encryption command) as 
the master unit.

In the mismatch scenario, a syslog message is logged :

%ASA-7-725014: SSL lib error. Function: SSL23_GET_SERVER_HELLO Reason: sslv3 alert 
handshake failure

An example of a mismatch is this encryption on the master ASA:

ASA1/master# sh run all ssl
ssl server-version any
ssl client-version any
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

and this encryption on the slave ASA to be added to the cluster:

ASA2/ClusterDisabled# sh run all ssl
ssl server-version any
ssl client-version any
ssl encryption des-sha1

This mismatch commonly occurs when a strong encryption (3DES/AES) license has not been installed on the slave ASA. The list of cipher suites on the slave ASA defaults to des-sha1 and is not updated when the 3DES/AES license is added to the slave ASA.

There are two solutions for this mismatch.

Note: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the commands used in this section.

Solution 1

On the master ASA, add des-sha1 as a valid SSL cipher suite:

ASA1/master# configuration terminal
ASA1/master(config)# ssl encryption des-sha1

Note: Cisco does not recommend that you enable des-sha1 because it is a weak cipher and is considered vulnerable.

Solution 2

On the slave ASA, add at least one of these SSL cipher suites: rc4-sha1, aes128-sha1, aes256-sha1, or 3des-sha1:

ASA2/ClusterDisabled# configuration terminal
ASA2/ClusterDisabled(config)# ssl encryption rc4-sha1

Related Information

Updated: May 09, 2013
Document ID: 116108