ASA 5520 with multiple contexts becomes unresponsive

Similar Messages

• Failure when FWSM in transparent mode with multiple contexts

  hi experts,
              We have two FWSMs working in active/standby state,  configured with multiple contexts in transparent mode. and the "outside" and "inside" interfaces for each context are in same subnet. 
              Now we have one FWSM broken and the RMA part can't arrived in short time, so  we have the risk that the sencond FWSM could be failed as well.   In the worst case if the two was broken or powered off simultaneously,   i wonder that if the communications between multiple contexts could be ok???
  thanks in advance.

  The software requirements for Cisco Secure ACS are dependent on the type of Extensible Authentication Protocol (EAP) desired. For full support of all the EAP types including EAP-Flexible Authentication via Secure Tunneling (FAST), use release 3.2.3 or higher.
  http://www.cisco.com/en/US/netsol/ns340/ns394/ns431/ns434/networking_solutions_implementation_guide09186a008038906c.html

• Problem with Failover FWSM (With Multiple Context)

  Dear All,
  I have 2 Catalyst 6500 with FWSM module, the catalyst and FWSM is redudant. FWSM with multiple context.
  i had done with catalyst 6500, but when i try to add (Admin -> Security and Monitor Devices) module with fwsm context is always error.
  i add this context in the active context.
  this is the error message when i try to add fwsm on mars.
  The first one;
  expect: spawn id exp3 not open
  while executing
  "expect -nobrace {<--- More --->} {
  send_user "\n"
  send -- " "
  exp_continue
  } {assword: } {
  s..."
  invoked from within
  "expect {
  "<--- More --->" {
  send_user "\n"
  send -- " "
  exp_continue
  "assword: " {
  (file "./sshpix7x.exp" line 105)
  st_key
  the second:
  invoked from within
  "expect {
  "<--- More --->" {
  send_user "\n"
  send -- " "
  exp_continue
  "assword: " {
  (file "./sshpix7x.exp" line 105)
  st_key
  and sometime:
  spawn ssh -c 3des -l siem-mars 10.x.x.x
  Connection timed out
  For Information :
  The FWSM Firewall Version 4.0(6)
  and,
  CSMAERS-200
  Product Version               :    6.0.6 ( 3368 )
  Data Package Version     :     35
  IPS Signature Version     :     454
  IPS Custom Signature Version     :     0
  Anyone can help me please...
  Thanks b4,
  Best Regards,
  Naga

  Hi Teck Yong Ng,
  I am not sure about your problem, but normally what happens when we install two databases on the same host is there will be conflict between the ports connecting to the database.
  In your case the second system database might also have the same port number which you have for the first system.that is why i think you are facing this issue.
  Try to look at the port numbers.
  Regards,
  Bharath Kumar.K
  Message was edited by:
          Bharath Kumar K

• Botnet Filter with multiple Context Mode

  We used the Botnet Filter in Single Context Mode for a long Time. Now we converted to multiple Context Mode and the Database is no longer updated. In the system Context I can See the update settings but when I try to update the result is always "no DNS server". Since the system context has no interfaces there are no DNS settings etc.
  How should be the Botnet Filter configured in Multiple Context Mode?
  Thanks for any response in advance.

  sh run | grep dns
  dns domain-lookup T-COM
  dns domain-lookup COLT
  dns server-group DefaultDNS
  policy-map type inspect dns preset_dns_map
  inspect dns preset_dns_map
  ping update-manifests.ironport.com
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 204.15.82.17, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 160/162/170 ms
  ping updates.ironport.com
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 80.239.221.64, timeout is 2 seconds:
  ASA Version 8.4(2)
  hostname DE-VM-TER-FW-02
  enable password 8Ry2Yj8765U24 encrypted
  passwd 2KFQnb6IdI.2KY75 encrypted
  names
  interface GigabitEthernet0/0.3207
  nameif TR_v207
  security-level 50
  ip address 10.28.6.60 255.255.255.248
  interface GigabitEthernet0/0.3208
  nameif TR_v208
  security-level 70
  ip address 10.28.6.68 255.255.255.248
  interface GigabitEthernet0/0.3209
  nameif TR_v209
  security-level 80
  ip address 10.28.6.76 255.255.255.248
  interface GigabitEthernet0/0.3210
  nameif TR_v210
  security-level 90
  ip address 10.28.6.84 255.255.255.248
  interface GigabitEthernet0/1
  nameif COLT
  security-level 0
  ip address 217.111.58.46 255.255.255.240
  interface GigabitEthernet0/3
  nameif T-COM
  security-level 0
  ip address 194.25.250.94 255.255.255.240
  dns domain-lookup T-COM
  dns domain-lookup COLT
  dns server-group DefaultDNS
  name-server 8.8.8.8
  object network COLT_dynamic_NAT
  subnet 0.0.0.0 0.0.0.0
  object network T-COM_dynamiy_NAT
  subnet 0.0.0.0 0.0.0.0
  object-group network DM_INLINE_NETWORK_1
  network-object 10.0.0.0 255.0.0.0
  network-object 172.16.0.0 255.240.0.0
  network-object 192.168.0.0 255.255.0.0
  access-list COLT_access_in extended deny ip any any
  access-list T-COM_access_in extended permit tcp any object DEUAG01-actsync eq https
  access-list T-COM_access_in extended permit tcp any object DEUAG01-portal eq https
  access-list T-COM_access_in extended deny ip any any
  access-list TR_3208_access_in extended deny ip any object-group DM_INLINE_NETWORK_1
  access-list TR_3208_access_in extended permit ip any any
  access-list TR_3208_access_in extended permit icmp any any
  access-list TR_v207_access_in extended deny ip any any
  access-list TR_v210_access_in extended deny ip any any
  access-list TR_v209_access_in extended deny ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu TR_v208 1500
  mtu T-COM 1500
  mtu COLT 1500
  mtu TR_v207 1500
  mtu TR_v210 1500
  mtu TR_v209 1500
  ip verify reverse-path interface T-COM
  ip verify reverse-path interface COLT
  ipv6 access-list TR_v207_access_ipv6_in deny ip any any
  ipv6 access-list TR_v208_access_ipv6_in deny ip any any
  ipv6 access-list TR_v209_access_ipv6_in deny ip any any
  ipv6 access-list TR_v210_access_ipv6_in deny ip any any
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  object network COLT_dynamic_NAT
  nat (any,COLT) dynamic interface
  object network T-COM_dynamiy_NAT
  nat (any,T-COM) dynamic interface
  access-group TR_3208_access_in in interface TR_v208
  access-group TR_v208_access_ipv6_in in interface TR_v208
  access-group T-COM_access_in in interface T-COM
  access-group COLT_access_in in interface COLT
  access-group TR_v207_access_in in interface TR_v207
  access-group TR_v207_access_ipv6_in in interface TR_v207
  access-group TR_v210_access_in in interface TR_v210
  access-group TR_v210_access_ipv6_in in interface TR_v210
  access-group TR_v209_access_in in interface TR_v209
  access-group TR_v209_access_ipv6_in in interface TR_v209
  route T-COM 0.0.0.0 0.0.0.0 194.25.250.81 1
  route COLT 0.0.0.0 0.0.0.0 217.111.58.33 20
  route TR_v208 10.28.24.0 255.255.255.0 10.28.6.65 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  user-identity default-domain LOCAL
  no snmp-server location
  no snmp-server contact
  telnet timeout 5
  ssh timeout 5
  no threat-detection statistics tcp-intercept
  dynamic-filter use-database
  dynamic-filter enable interface T-COM
  dynamic-filter enable interface COLT
  dynamic-filter drop blacklist interface T-COM
  dynamic-filter drop blacklist interface COLT
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum client auto
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect dns preset_dns_map dynamic-filter-snoop
  service-policy global_policy global
  Cryptochecksum:7bbe975fb39e189e99d8878787a0037
  : end
  System Context
  dynamic-filter updater-client enable
  ​ Can't resolve update-manifests.ironport.com, make sure dns nameserver is configured

• ACE with multiple context

  hi,
  i've 4 virtual context in my ACE configuration.it's possible to use the same real server in multiple context?2 context are configurated in one-arm mode
  and 2 in bridge mode.
  tks all
  Aghibear

  you could use one context as the default path - selecting this contect as the default gateway.
  Then the other context uses client nat to guarantee that the response comes back.
  I don't know if there is a specific example for what you want to do.
  You can check sample configs from :
  http://docwiki.cisco.com/wiki/Main_Page
  G.

• Problem with Multiple Context Creation

  Hi,
  We are facing a java.lang.SecurityException Invalid Subject
  We need to create multiple Initial Contexts for a single thread.
  Following is the Scenario
  1) The user will access Servlet/Struts Action class which performs database call and EJB(one, two) calls with different Initial Contexts ( Credentials are different)
  2) At the same time the Timer Task runs in back ground which is invoked from servlet load-on-startup and runs for every 1 min.
  3) The Timer Task invoke an MDB this MBD will make an external EJB (three) call for business logic.
  {color:#ff0000}Please Suggest me the Sequence of step I am expecting are correct or not{color}
  1) The Timer Task will run in the same JVM where the Servlet/Action classes are loaded (WEB-CONTAINER)
  2) The Thread created for Servlet/Action class will not be shared by Timer Task.
  3) The Thread created for Timer Task and the MDB are different.
  4) So the Servlet - Thread, Timer Task Thread and MDB Thread are different.
  The Behavior of the Context is as follows according to Bea Document.
  [http://e-docs.bea.com/wls/docs81/jndi/jndi.html#476864]
  JNDI Contexts and Threads
  How to Avoid Potential JNDI Context Problems (Please Refer this Paragraph)
  I am closing the entire Context's immediately after lookup
  Still we are facing this java.lang.SecurityException Invalid Subject Exception Problem
  The Context of EJB which we are calling from MDB is sharing the Servlet/Action Class Context -- Credentials
  Example_
  {color:#ff0000}Servlet/Action Class Context Credentials -- are user1/pass1{color}
  {color:#ff0000}EJB (three) Context Credentials -- are user3/pass3{color}
  When EJB (Three) lookup is invoked it&rsquo;s throwing the following Exception
  *java.lang.SecurityException: [Security: 090398] Invalid Subject: user1*
  Please advise to solve this problem
  Thank You.

  Solved By myself
  There is problem while passing data to internal table for item level

• Table View with Multiple Context Nodes

  I want to create a table-view consisting of an object composition, e.g. multiple business objects. The chtml:configCellerator -tag supports just one context node which corresponds to just one business object.
  How do you create a table composed by different objects, i.e. BTAdminH and BTAdminI ?
  Edited by: romanglass on May 18, 2010 4:07 PM

  Hi,
  I would suggest to create a new component and not to disturb the standard ones. Because the super class of the header context node (BTAdminH in your case) must be inherited from CL_BSP_WD_CONTEXT_NODE_DTV - Deep table view.
  The dependent nodes must be passed to return parameter rt_result of method GET_SUB_CNODE_DEFINITIONS.
  This cant be done via wizard. I just tried to replicate your scenario. Below are the steps,
  1. create a view with context node BTADMINH as tableview. Then change the super class of the context node to   CL_BSP_WD_CONTEXT_NODE_DTV.
  2. Add another context node BTADMINI and mark it as dependent to BTADMINH.
  3. Now change the super class of context node BTADMINI to CL_BSP_WD_CONTEXT_NODE_TV  (Table View).
  4. Redefine method GET_SUB_CNODE_DEFINITIONS in context node BTADMINH.
  In the view layout you should use cellerator and pass an iterator with interface IF_THTMLB_CELLERATOR_ITERATOR. The interface has a method RENDER_DEPENDANT_OBJECTS which returns the table of dependant objects.
  Regards,
  Arun
  Edited by: Arun Kumar on May 19, 2010 1:01 PM

• Transparent firewall with failover with multiple contexts

                     I am running 8.4(2) on ASA5585s. They are in mulitble context mode and set to transparent firewall with active/active failover. When I do a sh failover in a context I see 2 of my interfaces are (waiting). I have a BVI and these are the ip addresses on the interfaces in he "sh failover" below.
  Failover On
  Last Failover at: 11:54:39 GMT/IST Feb 23 2012
          This context: Standby Ready
                  Active time: 175394 (sec)
                    Interface ctxb-inside (x.x.x.165): Normal (Waiting)
                    Interface ctxb-outside (x.x.x.165): Normal (Monitored)
          Peer context: Active
                  Active time: 11390663 (sec)
                    Interface ctxb-inside (x.x.x.164): Normal (Monitored)
                    Interface ctxb-outside (x.x.x.164): Normal (Waiting)
  Why are the interfaces in (waiting)?

  Are you able to ping between the interfaces? ie: can you ping x.x.x.165 from x.x.x.164 and visa versa? If you are not able to ping it, that means there is no connectivity between the 2, hence the status is in Normal (Waiting) because it has not received the hello packet on that corresponding interface.
  Here is the reference guide FYI:
  http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s3.html#wp1505709

• Multiple Public IP's on ASA 5520

  Hi,
  I have ASA 5520 with Ver 8.2.
  Outside interface is directly connected to ISP's router(TelePacific) and is assigned one of public IP:198.24.210.226.
  There are two servers inside the network with the private IP's:192.168.1.20 for DB Server, and 192.168.1.91 for Web Server.
  I did Static NAT 198.24.210.226 to 192.168.1.20  and 198.24.210.227 to 192.168.1.91.
  When I access DB Server(198.24.210.226) it's working OK but when I access Web Server(198.24.210.227) there is no response at all.
  I checked the inside traffic, it even did not get into the firewall.
  Is this the problem with ISP's router?  How can we route all of our public IP's to the outside interface(198.24.210.226)?
  interface GigabitEthernet0/1
  nameif inside
  ip address 192.168.1.1 255.255.255.0
  security-level 100
  no shutdown
  interface GigabitEthernet0/0
  nameif outside
  ip address 198.24.210.226 255.255.255.248
  security-level 0
  no shutdown
  route outside 0.0.0.0 0.0.0.0  198.24.210.225
  nat (inside) 1 192.168.1.0 255.255.255.0
  global (outside) 1 198.24.210.226 255.255.255.255
  static (inside,outside) tcp 198.24.210.226 3389 192.168.1.10 3389 netmask 255.255.255.255 dns
  static (inside,outside) tcp 198.24.210.226 9070 192.168.1.10 9070 netmask 255.255.255.255 dns
  static (inside,outside) tcp 198.24.210.227 3389 192.168.1.20 3389 netmask 255.255.255.255 dns
  static (inside,outside) tcp 198.24.210.227 80   192.168.1.20 80   netmask 255.255.255.255 dns
  access-list OUTSIDE-IN extended permit tcp any  host 198.24.210.226 eq 3389
  access-list OUTSIDE-IN extended permit tcp any  host 198.24.210.226 eq 9070
  access-list OUTSIDE-IN extended permit tcp any  host 198.24.210.227 eq 3389
  access-list OUTSIDE-IN extended permit tcp any  host 198.24.210.227 eq 80
  access-group OUTSIDE-IN in interface outside

  Also,
  You seen to have an /29 public subnet. You should be able to use IP addresses from this subnet to configure NAT on your firewall. I dont think you need any specific configurations to allow the usage of the whole subnet as NAT IP addresses.
  You can naturally check the following
  show run sysopt
  Check that you DONT have the following
  sysopt noproxyarp outside
  At the moment you are not actually configuring Static NAT but rather Static PAT.
  You are only forwarding some ports from certain public IP addresses to the local IP address. If you were doing Static NAT, then you would actually be staticly binding the public IP addresses to the local IP address. So it would apply to any TCP/UDP port and you would only need to use the ACL to allow traffic.
  Though in that case you would have to replace the .226 IP address with something else as its the firewall interface IP address and it should not be assigned to be used by a single host on the LAN usually.
  If you wanted to staticly assing public IPs to both of these servers you could do
  static (inside,outside) 198.24.210.227 192.168.1.91 netmask 255.255.255.255
  static (inside,outside) 198.24.210.228 192.168.1.10 netmask 255.255.255.255
  access-list OUTSIDE-IN extended permit tcp any  host 198.24.210.228 eq 3389
  access-list OUTSIDE-IN extended permit tcp any  host 198.24.210.228 eq 9070
  access-list OUTSIDE-IN extended permit tcp any  host 198.24.210.227 eq 3389
  access-list OUTSIDE-IN extended permit tcp any  host 198.24.210.227 eq 80
  - Jouni

• Manage ASA multicontext with PRSM

  Hello,
  i need to manage an active/standby ASA CX configuration with PRSM Multidevice mode. Is it possible?
  I read on documentation:
  If the ASA is in multiple-context mode, you can still manage a CX module
  But it seam to be possible only with single mode PRSM.
  Anyone can confirm it?

  The base ASA is managed using an inside interface. In my case it is a subinterface that's on the same subnet as PRSM - so there's no question of routing back from the ASA since it a connected subnet.
  So I have the ASA subinterface I'm using for management on the same VLAN as the physical interface that's connected to the CX (hardware module in this case since it's a 5585-X). The PRSM VM is also on that subnet.
  You could do it other ways as long as all the routing works out.

• ASA 5520 VERSION 8.2 UPGRADE TO 9.0

  Hello friends,
  I am considering to perform an upgrade of my ASA 5520 with versión 8.2 to 9.0, so I will enjoy the benefits of anyconnect for mobile devices. I clearly understand that I must pay special attention to:
  NAT Rules.
  RAM Memory: 2 GB.
  Adding the part numbers to power on the newest versions of anyconnect and for mobile devices
  L-ASA-AC-E-5520= ASA-AC-M-5520=
  am I missing any other thing? Flash requirement? Or to pay attention to some other configurations? 
  Any comment or documentation will be appreciated.
  Regards!

  You can run the latest AnyConnect client - including mobile clients - with those licenses even on an ASA with the current  8.2 code - 8.2(5) as of now. While it's a bit old and lacking some of the newer features, it's a solid and stable release.
  That would save you the trouble of migrating your NAT configuration (and other bits) and upgrading memory.
  Since the ASA 5500 series (5510, 5520 etc.) is past End of Sales you have a limited future on those platforms. For instance, ASA 9.1(x) is the last set of code releases that will be available for them. (The current software on the 5500-X is 9.3(1).)

• ASA 5520 : IP address for CSC SSM

  Hi All,
  I have an ASA 5520 with CSC SSM. I have base and plus license and want to activate it. T he IP address and gateway have to be configured on the CSC SSM. I have configured IP addresses for the INSIDE,OUTSIDE,DMZ and MGMT. The outside is a public IP address. Now for the CSC SSM what range should i give?
  There is an ISA server on the DMZ where all user IP's get PATed and on ASA this gets NATed on the ASA. Direct access to the internet exists for the servers (bypassing proxy).
  My basic doubt is about the IP address and gateway that the CSC SSM should have and is it related ot the management interface ip address?
  Thanks and Regards.
  Sonu

  Hi
  put your CSC ip address as outside interface subnet.because CSC needs automatic updates from internet.and you can able to manage CSC from remote itself.
  for EX
  your outside ip is 10.0.0.1/24,make CSC IP As 10.0.0.2/24,Gateway 10.0.0.1
  Hopes this helps
  regs
  S.Mohana sundaram

• ACE system stability with multi-context

  Question... if the ACE module is configured with multiple contexts, and one of the contexts hits its max resource limitations for a given resource thereby resulting in dropping excess resources, will this cost the entire ACE system, or is it limited only to the one context?
  For example, if a context configured for a max of 3000 connections/second receives 300000000 connections/second due to a virus outbreak/DoS attack, will this attack affect other contexts, or will the dropping of the excess connections be seamless to other contexts? Also, does the ACE drop the excess traffic in hardware, or must it be examined by a cpu?
  Thanks!!
  -Lee

  Generally, the individual contexts operate independently from one another. So if one context reaches it's upper defined limit, that affects only that context.
  The ACE has hardware-based support for many of it's operations, and to the best of my knowledge, connection processing is handled by one of its 16 ME's (MicroEngine). I've never seen a benchmark test that shows how e.g a DoS-attacks affects the entire module, nor have I tried it myself, but maybe someone else here at the forum can provide you with some information on that.
  BTW, try and check out theese to links. The first one describes the ACE hardware architecture, including the ME's and how they're used for processing traffic. The other one is a test conducted by Miercom on the ACE module, maybe this can provide you with some information on how the ACE handles a sudden increase in traffic during an attack.
  http://www.cisco.com/en/US/customer/prod/collateral/modules/ps2706/ps6906/White_Paper_Connection_Handling_within_the_Cisco_Application_Control_Engine_Module_Hardware.html
  http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/prod_brochure0900aecd806d1c90.pdf
  hth
  /Ulrich

• ASA 5520 IPS configuration

  Dear boss
  I have a ASA 5520  with IPS in my Data center. i am using it for routing and access list.  it is running and my all 80 branches running on it.
  now i want to enable IPS.
  How i start it ?
  when i click on IPS on graphic mood an it asking an IP. what it should be ?
  what is the procedure  ?
  Is there any risk to enable it during business hour ?
  please tell me details
  Thanking You
  shahid

  Hi,
  To know more details for configuring IPS in ASA Firewall the below URL will help you
  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html
  Regards,
  MK

• ASA 5520 VPN load balancing with Active/Standby failover on 2 devices only...

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  This topic has been beat to death, but I did not see a real answer. Here is configuration:
  1) 2 x ASA 5520, running 8.2
  2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces
  3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration.
  4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?
  This sounds trivial, but I cannot find a clear answer (without testing this); and many people are confusing the issue. Here are some examples of confusion. These do not apply to my scenario.
  Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not
  The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?
  In any case, any experts out there that can answer question? TIA!

  Wow, some good info posted here (both questions and some answers). I'm in a similar situation with a couple of vpn load-balanced pairs... my goal was to get active-standby failover up and running in each pair- then I ran into this thread and saw the first post about the unique IP addr pools (and obviously we can't have unique pools in an active-standby failover rig where the complete config is replicated). So it would seem that these two features are indeed mutually exclusive. Real nice initial post to call this out.
  Now I'm wondering if the ASA could actually handle a single addr pool in an active-standby fo rig- *if* the code supported the exchange of addr pool status between the fo members (so they each would know what addrs have been farmed out from this single pool)? Can I get some feedback from folks on this? If this is viable, then I suppose we could submit a feature request to Cisco... not that this would necessarily be supported anytime soon, but it might be worth a try. And I'm also assuming we might need a vip on the inside int as well (not just on the outside), to properly flip the traffic on both sides if the failover occurs (note we're not currently doing this).
  Finally, if a member fails in a std load-balanced vpn pair (w/o fo disabled), the remaining member must take over traffic hitting the vip addr (full time)... can someone tell me how this works? And when this pair is working normally (with both members up), do the two systems coordinate who owns the vip at any time to load-balance the traffic? Is this basically how their load-balancing scheme works?
  Anyway, pretty cool thread... would really appreciate it if folks could give some feedback on some of the above.
  Thanks much,
  Mike