Active/Active ASA in GNS3?????

Similar Messages

• Asa in active/active vpn solution licensing question

  Hello All
  I have a customer with the following requirements:
  1) A Cisco VPN Solution that will be support SSL VPN and Cisco Client VPN - The  solution will be a failover configuration running in an active-active set up.  The solution offered will be fully supported (i.e. it will not go into End of  Life or and lower level of support etc) by Cisco for the next 5 Years.
  a. We  would expect the devices to be similar to the ASA 5520 Appliance with  SW,HA,$GE+1FE,£DES/AES (Including ASA 5500 Advanced Endpoint ASS)
  2) User  licenses for the above - Please quote for both the following
  a. 500 appropriate SSL VPN User Licenses
  b. 250  appropriate SSL VPN User Licenses
  I am quoting them for the 500 ssl vpn bundle
  ASA5520-SSL500-K9 and for the
  ASA5520-BUN-K9.
  Is it right that in active/active  software 8.3 and above that the 500 ssl vpn licenses will be shared between the 2 asa's or will I need to have 250 licenses on each asa.
  Also I have read that in active/active I cannot use shared licenses, is this relevant in a vpn solution?
  http://www.cisco.com/en/US/docs/security/asa/asa84/license/license_management/license_86.html#wp2003381
  Url above has this “The  backup server mechanism is separate from, but compatible with,  failover.
  Shared  licenses are supported only in single context mode, so Active/Active failover is  not supported.”
  Also “Failover  Guidelines
  •Shared licenses are not supported in Active/Active mode. See the "Failover  and Shared Licenses" section for more  information.
  I also need to purchase the
  ASA-ADV-END-SEC and
  ASA-AC-M-5520 (any connect mobile) as the vpn client is eos/eol.
  Do I need to buy this for both asa's or can they share them in active/active mode.
  Thanks in advance.
  Feisal

  Hi Vibhor and thanks for the quick reply. We will be using version 9.3. I was aware that the ASA does not support PBR but I thought with the new code you could do some policy nat that could help influence the outbound flow?
  So in this case we have 2x ISPs and 2x public address space, one from each ISP. How is the NAT and routing handled by the ASA in this design?
  Can I not identify the guest subnet (192.168.0.0/22) and NAT this to a public address from ISP1 and also identify the corp subnets (10.x.x.x)  and NAT them to ISP2?
  My understanding (which is probably wrong) is that the NAT will select the egress interface rather than the routing table, so guest will be sent via ISP1 since the SVI interface of the ASA that connects to this ISP1 has an IP address from the same public address space..?
  Is that incorrect?
  Many thanks
  Rays

• Cisco asa security context active/active failover

  Hi,                  
  I have two Cisco ASA 5515-X appliance running OS version 8.6. I want to configure these two appliance in multiple context mode mode.
  Each ASA appliance will have two security context named "ctx1" & "ctx2".
  I have to configure failover on these two ASA appliance such that "ctx1" will be active in one ASA box and "ctx2" will be active and process the traffic on second box to achieve this i will configure two failover group 1 & 2. And assign "ctx1" interfaces in failover group 1 and "ctx2" interface to group 2.
  I am a reading a book on failover configuration in active/active in that below note is mentioned.
  If an interface is used as the shared interface between multiple contexts, then all of those contexts need to be in the same failover redundancy group.
  What this means? can someone please explain because i also want to use a shared interface which will be used by "ctx1" & "ctx2". In this case shared interface can be used in failover group 1 & 2 ?
  Regards,
  Nick

  Yout will have to contact [email protected] or open a TAC case in order to have a new activation key generated. They can do that once they confirm your eligibility.

• How to do nat at active/active asa

  Hi i want to learn how to do nat(PAT) at active/active asa. i must be write nat command each context or other way which i do not know?
  thanks

  Hi Teymur,
  Configuring NAT on an Active/Active pair is the same as any other multi-context ASA. The NAT commands are configured per-context, so you'll just want to login to the appropriate context to configure the commands.
  In an Active/Active pair, some contexts are Active on one physical unit, while other contexts are Active on the other physical unit, but that's the only difference. You'll want to make sure you always make changes on the Active version of the context.
  Hope that helps.
  -Mike

• Cisco ASA Active/ Active

  Hi,
  Can we have ASA in  Active/ Active in single context mode.
  If Active/ Active is  possible in single context mode, then in best practices, Active/Active is  prefered or Active Standby.
  Thanks

  Hi,
  ASA Active/Active setup can be done only with multiple context mode, you cannot use it in a single mode.
  In a single mode only you can have Active/Standby failover.
  Also, please move the question to the Firewall section for more discussions.
  Thanks.

• ASA Active/Active Failover with Redundant Guest Anchors

  Does anyone know how an ASA and a guest anchor 5508 will interact if I setup an Active/Active failover pair with physical interface redundancy?  I see from documentation that I can create a logical group in the ASA to bond physical interfaces together, but it doesn't describe what protocol is being used to manage that bundle.  Do I assume etherchannel?  If I were to create this scenario, can I run the 5508 in LAG mode?
  The current failover configuration example is for PIX, and old code at that.  I'm referencing an ASA/PIX guide ISBN:1-58705-819-7 beginning on page 531.
  Regards,
  Scott

  In addition to what you have, you should add to each unit the global configuration command "failover".
  We generally don't manually configure the MAC addresses in single context mode since the ASA ill automatically assign virtual MAC addresses and manage their moving to the newly active unit in the event of a failover event. Reference.

• ASA active/active failover back to back

  Hi,
        for HA  I want to connect 4 ASA's in active/active failover with each ASA having two contexts.
  The reason I need this is to separate two domains. Each domain has the ASA pair in active/active failover.
  Is this possible and what would you need to do it  ie a switch or two in between ?
  I know you need switches or vlans to do the LAN side as the failover context needs to be in the same network. So I'm assuming you would need to do something similar between the 4 ASA's ???
  Would you put 2 switches trunked together carrying two vlans, one for each context ?
            -| CTX1 |-          ?         -| CTX1 |-
            -| CTX2 |-          ?         -| CTX2 |-
                 |  |                                |  |
            -| CTX1 |-          ?         -| CTX1 |-
            -| CTX2 |-          ?         -| CTX2 |-
  Thanks in advance.

  Your latest attachment is pretty close to what I was thinking.
  I would add a second interface on each ASA to the switches.
  So (considering the "Inside" interfaces of ASA1 for example) it would have one physical interface allocated to context 1 and connected to a port in VLAN2 and a second physical interface allocated to context 2 and connected to a port in VLAN 3.
  An alternative would be to stick with a single physical interface and allocate subinterfaces (on a trunk) to each context.
  You could further add redundancy by creating Etherchannels (with either the physical or logical interface approach).

• Asa active/active questions

  if i have asa's configured as active/active;
  1. Is this situation treated as one? I mean can i manage this only with IDM?
  2. The 5520 can have 130,000 connections. If i am using 2 of this which is config active/active, can i say that am having 130,000X2=260,000 connections?
  thanks.

  1. In ASA, Active/Active can only be acrhived when both ASA is in Multiple Context Mode (Security Context). Multiple Context logically divides the ASA into multiple virtual firewall. You can refer to following configuration example.
  http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008063b316.html#wp1035787
  In your case, you need to create 2 context in each ASA, say Context-A and Context-B. In ASA-1, it should be active for Context-A and standby for Context-B. While in ASA-2, it should be standby in Context-A and active for Context-B. You should be have seperate set of configuration for each Context.
  To manage the configuration, you can use ASDM.
  2. I am sorry, I don't know that

• ASA Active/Active Configuration

  Dear All,
  In configuring Active/Active mode of ASA, most examples are stating using
  2 customers for Active/Active. If I only get 1 customer with 4 interfaces as
  following:
  1) Outside
  2) Inside
  3) DMZ
  4) VPN
  Can I still use the Active/Active mode?
  If so, then how to allocate the interfaces to the 2 failover groups? Let
  assume:
  Failover group 1: Outside and DMZ
  Failover group 2: VPN and Inside
  That means ASA_A is primary of Group1, while ASA_B is primary of Group2. If
  so, is the traffic between Outside and Inside has problem? Since they are
  crossing the 2 failover group on the 2 ASA.
  Please correct me and my assumption. A sample configuration would be much appreciate.
  Thanks in advance.
  Br,
  Sam

  Thank you for the reply Jennifer.
  I was reffering to the following document:
  http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1091405
  Failure Event
  Policy
  Active Action
  Standby Action
  Notes
  Failover link failed during operation
  No failover
  Mark failover interface as failed
  Mark failover interface as failed
  You should restore the failover link as soon as possible because the unit cannot fail over to the standby unit while the failover link is down.
  Stateful Failover link failed
  No failover
  No action
  No action
  State information becomes out of date, and sessions are terminated if a failover occurs.
  I think I should rephrase question 2) If I have two seperate links for Failover and Stateful failover, will that fix my problem?
  How can I configure seperate Failover and Stateful failover links? If I understand correctly, they are more than just redundant links.
  Sorry I didn't accurately phrase my original post.
  Thank you

• Can two ASA build up a loadbalance such as active/active mode ?

  Hi, Professionals
  I am wondering if two ASA be able to build up a loadbalance such as active/active mode, balance the traffic, ?
  thanks in advance,
  Yang

  Yes, running the ASA's in active/active is so you can load balance traffic. Here's a link with more information.
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
  Hope it helps.

• ASA active active design

  Hi
  I configurate ASA's in active active mode. I create 10 context's in Primary ASA. 5 context are in group1 in ASA1 and 5 conetexts are in group2 in ASA2.
  The problem assign ip address to outside interface of context's.
  I use int gi0/0 and gi0/1 for outside interfaces. 5 contexts are in gi0/0 and 5 contexts are in gi0/1 interface.
  gi0/2-gi0/6 for inside interface.
  I create subinterface in inside interfaces and assign different vlan. In different conetext give different subnet. That is ok.
  The issue is:
  i want to use the same subnet but differen ip for outside interface of context's. is it possible?  I configurate eigrp protocol in Context's.
  Thanks.

  Dears
  i find the documentation
  http://www9.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml#mul
  But this is version 7.x
  Assign the Same IP Address to the Shared Interfaces in the Multiple Context Mode
  Assigning the same IP address to the shared interface is not possible. A shared interface over multiple contexts allows us to simulate virtual firewalls over the same LAN segment. When the same IP address is assigned to the shared interface, for example shared over multiple contexts, it gives an IP address conflict error. The ASA will not allow this configuration because of the ARP issue between the contexts for the same IP address.
  The error is shown here for your reference: ERROR: This address conflicts with another address on net.
  Here is wroten that same ip address but i want to configurate same subnet but different ip address. is it possible?
  i use 9.1 version in ASA's

• Radius auth to standby ASA in Active Active Failover

  Hi Everyone,
  When ASA is in Active/standby failover i can ssh to standby ASA using Radius.
  But when ASA is in multi context mode  Active/Active failover i can not do Radius Auth to standby ASA?
  Is this default behaviour?
  Regards
  MAhesh

  I would not have thought this is the default behavior...but then again, I have never tested this.  If you console into the standby context issue the command show run | in aaa.  Which authentication database is indicated?
  Please remember to select a correct answer and rate helpful posts

• ASA Expert Wanted | Active Active Failover Requirment

  Hello Everyone,
  We have two new ASA5515-X and im currently in planning phase of its deployment. Not sure if ASA can support these requirments
  Here’s what we need to have in place
  A. During normal operation, wherein both ASAs and ISPs are operational.
  1. By default all traffic will be routed out through ASA1's interface g1 (outside) and some defined traffic will be routed out through ASA2's interface g2 (backup)
  2. All incoming ISP1 traffic will be handled by ASA1's interface g1
  3. All incoming ISP2 traffic will be handled by ASA2's interface g2
  B. ASA1 failure, ASA2 and both ISPs are operational
  1. By default all traffic will be routed out through ASA2's intergace g1 (outside) and some defined traffic will be routed out through ASA2's interface g2 (backup)
  2. All incoming ISP1 traffic will be handled by ASA2's interface g1
  3. All incoming ISP2 traffic will be handled by ASA2's interface g2
  C. ASA2 failure, ASA1 and both ISPs are operational
  1. By default all traffic will be routed out through ASA1's intergace g1 (outside) and some defined traffic will be routed out through ASA1's interface g2 (backup)
  2. All incoming ISP1 traffic will be handled by ASA1's interface g1
  3. All incoming ISP2 traffic will be handled by ASA1's interface g2
  D. ISP1 failure, both ASAs and ISP2 are operational
  1. All traffic will be handled by ASA2's interface g2 (backup)
  E. ISP2 failure, both ASAs and ISP1 are operational
  1. All traffic will be handled by ASA1's interface g1 (outside)
  F. Item D + ASA2 failure
  1. All traffic will be handled by ASA1's interface g2 (backup)
  G. Item E + ASA1 failure
  1. All traffic will be handled by ASA2's interface g1 (outside)
  Note:
  InterfaceG1 is nameif'ed outside and is connected to ISP1
  InterfaceG2 is nameif'ed backup and is connected to ISP2
  Also, as a follow up, per my initial findings I need to enable multiple context to achieve what us required. But we also need a VPN redundancy and failover. But I red somewhere that VPN is not supported in multiple context mode. This is in software version 8.x I think. Does software version 9.x already supports VPN in multi context mode? If not, what approach would you suggest to address these requirement?
  Here's daigram of what im thinking
  Your inputs is highly appreciated
  Thanks everyone !

  One challenge in your scenario is to distribute the traffic to the right context. The internal network sees two gateways to the outside world and has to use the right gateway. In Active/Active that is not as easy as with Active/Standby.
  the ASA9 supports VPN in A/A, but only site-to-site, no remote access.
  Most of your requirements are possible with A/S which is much easier to implement. Only the part "some traffic to backup" is problematic if that is not based on the destination-address as the ASA doesn't have policy based routing.
  Sent from Cisco Technical Support iPad App

• ASA CX / PRSM Active/Active Failover?

  Hi everyone.
  I've spent my last 2 days trying to find something on this matter, but I can't find anything conclusive about it.
  I'm trying to find if a 2 ASAs+CX in Active/Active configuration is supported and how to do it.
  On one side, on the PRSM configuration guide for 9.2, it says "Active-Standby is the only supported high availability configuration", but I don't understand if it's just for adding devices to PRSM or that an Active/Active configuration is not supported by the CX module.
  On the other hand, this forum discussion says that they are using Active/Active with CX.
  So, I need to know if it will work. I know that if I use Active/Active I should use contexts, which some are Active on one ASA and others are active on the other one.  I would assume that the CX module configuration should be the same for both ASAs as to support all the networks policies, but I want to know if this will work (I don't want to tell the customer that it'll work and then be stuck with an unsupported and non-working configuration).
  Any advice on this? Guides maybe?
  Thanks in advance.

  Yes, it can be done. Off-box PRSM manages an ASA context like a "separate" ASA. That's when it's managing the ASA configuration itself - distinct from managing the CX module features.
  Note however that there is an unresolved bug with CX modules and HA ASA pairs: https://tools.cisco.com/bugsearch/bug/CSCud54665
  The other thing to remember - as you had alluded to - is that the CX configuration is a common one despite there being multiple contexts (with potentially differing security policies with respect to the web filtering and IPS functions they want from the CX) on the box.

• ASA 8.4 transparent mode active/active questions

  Hi, currently i'm trying to create network design which uses two 5585-X in transparent mode with active/active load balancing (with states), but i have some questions:
  1. Do i need to configure asr-groups in transparent mode? What will happen if my packet (or now more accurately frame) will return to the standby context of one device, while the initial packet passed through active context on the another device (contexts are in the same group but on different physical devices)?
  2. In 8.4 we received new feature called BVI interfaces. How this feature integrates with failover functionality? Can we now use multiple BVI bridge groups for multiple vlans (instead of bridging a single pair of vlans in single context)?
  3. When implementing active/active load balancing with BVIs do we still need to use multiple context mode?
  Thanks for your replies

  Hello,
  1. Do i need to configure asr-groups in transparent mode? What will happen if my packet (or now more accurately frame) will return to the standby context of one device, while the initial packet passed through active context on the another device (contexts are in the same group but on different physical devices)?
  You only need to configure ASR groups if your routing environment would match the scenario you outlined (a return packet arrives at the unit running the Standby context).
  2. In 8.4 we received new feature called BVI interfaces. How this feature integrates with failover functionality? Can we now use multiple BVI bridge groups for multiple vlans (instead of bridging a single pair of vlans in single context)?
  You can configure up to 8 bridge groups per context to achieve this.
  3. When implementing active/active load balancing with BVIs do we still need to use multiple context mode?
  Active/Active failover is only possible in multiple context mode.
  Hope that helps.
  -Mike