Symptom
ASA/FTD Cluster Split Brain caused by NAT using "any" and Global IP/range matching broadcast IPv4 address used for cluster election process.
In this particular condition, broadcast packets transmitted other nodes when trying to join the cluster are diverted to the data interface specified on the ingress domain of the NAT statement, instead of being punted to CP and being processed by the Cluster feature, which results on a Split Brain and removal of the joining node(s).
Example of configuration:
When tracing incoming broadcast packets on the current CONTROL node, the following is seen:
firepower# show cap capccl trace packet-number 130
130: 18:30:05.485433 127.2.1.1.49495 > 255.255.255.255.49495: udp 1218
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Elapsed time: 5124 ns
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 5124 ns
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Elapsed time: 6832 ns
Config:
object network NAT-Real
nat (inside,any) static Inside-host net-to-net dns
Additional Information:
NAT divert to egress interface inside
Untranslate 255.255.255.255/49495 to 192.168.1.1/49495
Result:
input-interface: cluster
input-status: up
input-line-status: up
output-interface: inside
output-status: down
output-line-status: down
Action: drop
Time Taken: 17080 ns
Conditions
- FTD/ASA in cluster setup
- NAT statements using "any" and a Global IP that matches or covers broadcast IPv4 255.255.255.255
Workaround
- Replace the "any" statements on the NAT statement(s) and use explicit interfaces
