6-8
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 6 ASA and Cisco TrustSec
About Cisco TrustSec
connection-specific reconciliation timer starts in the background. When this reconciliation timer
expires, it scans the entire SXP mapping database and identifies all mapping entries that have not
been learned in the current connection session (that is, mapping entries with an unmatched
connection instantiation identifier), and marks them for deletion. These entries are deleted in the
subsequent reconciliation review. The default reconciliation timer value is 120 seconds. A zero
value is not allowed on the ASA to prevent obsolete entries from staying for an unspecified length
of time and causing unexpected results in policy enforcement.
•
HA Reconciliation Timer—When HA is enabled, the SXP mapping database of the active and
standby units are in sync. The new active unit tries to establish new SXP connections to all its peers
and acquires the latest mapping entries. An HA reconciliation timer provides a way of identifying
and removing old mapping entries. It starts after a failover occurs, which gives the ASA time to
acquire the latest mapping entries. After the HA reconciliation timer expires, the ASA scans the
entire SXP mapping database and identifies all the mapping entries have not been learned in the
current connection session. Mapping entries with unmatched instantiation identifiers are marked for
deletion. This reconciliation mechanism is the same as that of the reconciliation timer. The time
value is the same as the reconciliation timer and is configurable.
After an SXP peer terminates its SXP connection, the ASA starts a delete hold-down timer. Only
SXP peers designated as Listeners can terminate a connection. If an SXP peer connects while the
delete hold-down timer is running, the ASA starts the reconciliation timer; then the ASA updates
the IP-SGT mapping database to learn the most recent mapping.
IP-SGT Manager Database
The IP-SGT Manager database does not synchronize any entries from the active unit to the standby unit.
Each source from which the IP-SGT Manager database receives IP-SGT mapping entries synchronizes
its database from the active unit to the standby unit, then provides the final IP-SGT mapping to the
IP-SGT Manager on the standby unit.
For Version 9.0(1), the IP-SGT Manager database receives IP-SGT mapping updates from the SXP
source only.
Features of the ASA-Cisco TrustSec Integration
Cisco TrustSec provides the following capabilities:
Flexibility
•
The ASA can be configured as an SXP Speaker or Listener, or both.
•
The ASA supports SXP for IPv6 and IPv6-capable network devices.
•
SXP can change mapping entries for IPv4 and IPv6 addresses.
•
SXP endpoints support IPv4 and IPv6 addresses.
•
The ASA supports SXP Version 2 only.
•
The ASA negotiates SXP versions with different SXP-capable network devices. SXP version
negotiation eliminates the need for static configuration of versions.
•
You can configure the ASA to refresh the security group table when the SXP reconcile timer expires
and you can download the security group table on demand. When the security group table on the
ASA is updated from the ISE, changes are reflected in the appropriate security policies.
Summary of Contents for ASA 5508-X
Page 11: ...P A R T 1 Access Control ...
Page 12: ......
Page 157: ...P A R T 2 Network Address Translation ...
Page 158: ......
Page 233: ...P A R T 3 Service Policies and Application Inspection ...
Page 234: ......
Page 379: ...P A R T 4 Connection Management and Threat Detection ...
Page 380: ......