ASA active active design
Hi
I configurate ASA's in active active mode. I create 10 context's in Primary ASA. 5 context are in group1 in ASA1 and 5 conetexts are in group2 in ASA2.
The problem assign ip address to outside interface of context's.
I use int gi0/0 and gi0/1 for outside interfaces. 5 contexts are in gi0/0 and 5 contexts are in gi0/1 interface.
gi0/2-gi0/6 for inside interface.
I create subinterface in inside interfaces and assign different vlan. In different conetext give different subnet. That is ok.
The issue is:
i want to use the same subnet but differen ip for outside interface of context's. is it possible? I configurate eigrp protocol in Context's.
Thanks.
Dears
i find the documentation
http://www9.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml#mul
But this is version 7.x
Assign the Same IP Address to the Shared Interfaces in the Multiple Context Mode
Assigning the same IP address to the shared interface is not possible. A shared interface over multiple contexts allows us to simulate virtual firewalls over the same LAN segment. When the same IP address is assigned to the shared interface, for example shared over multiple contexts, it gives an IP address conflict error. The ASA will not allow this configuration because of the ARP issue between the contexts for the same IP address.
The error is shown here for your reference: ERROR: This address conflicts with another address on net.
Here is wroten that same ip address but i want to configurate same subnet but different ip address. is it possible?
i use 9.1 version in ASA's
Similar Messages
-
Asa in active/active vpn solution licensing question
Hello All
I have a customer with the following requirements:
1) A Cisco VPN Solution that will be support SSL VPN and Cisco Client VPN - The solution will be a failover configuration running in an active-active set up. The solution offered will be fully supported (i.e. it will not go into End of Life or and lower level of support etc) by Cisco for the next 5 Years.
a. We would expect the devices to be similar to the ASA 5520 Appliance with SW,HA,$GE+1FE,£DES/AES (Including ASA 5500 Advanced Endpoint ASS)
2) User licenses for the above - Please quote for both the following
a. 500 appropriate SSL VPN User Licenses
b. 250 appropriate SSL VPN User Licenses
I am quoting them for the 500 ssl vpn bundle
ASA5520-SSL500-K9 and for the
ASA5520-BUN-K9.
Is it right that in active/active software 8.3 and above that the 500 ssl vpn licenses will be shared between the 2 asa's or will I need to have 250 licenses on each asa.
Also I have read that in active/active I cannot use shared licenses, is this relevant in a vpn solution?
http://www.cisco.com/en/US/docs/security/asa/asa84/license/license_management/license_86.html#wp2003381
Url above has this “The backup server mechanism is separate from, but compatible with, failover.
Shared licenses are supported only in single context mode, so Active/Active failover is not supported.”
Also “Failover Guidelines
•Shared licenses are not supported in Active/Active mode. See the "Failover and Shared Licenses" section for more information.
I also need to purchase the
ASA-ADV-END-SEC and
ASA-AC-M-5520 (any connect mobile) as the vpn client is eos/eol.
Do I need to buy this for both asa's or can they share them in active/active mode.
Thanks in advance.
FeisalHi Vibhor and thanks for the quick reply. We will be using version 9.3. I was aware that the ASA does not support PBR but I thought with the new code you could do some policy nat that could help influence the outbound flow?
So in this case we have 2x ISPs and 2x public address space, one from each ISP. How is the NAT and routing handled by the ASA in this design?
Can I not identify the guest subnet (192.168.0.0/22) and NAT this to a public address from ISP1 and also identify the corp subnets (10.x.x.x) and NAT them to ISP2?
My understanding (which is probably wrong) is that the NAT will select the egress interface rather than the routing table, so guest will be sent via ISP1 since the SVI interface of the ASA that connects to this ISP1 has an IP address from the same public address space..?
Is that incorrect?
Many thanks
Rays -
Hi All,
we recently installed a activaiton key for the Anyconnect License on our ASA 5520. We have a pair runnning, in Active/Standby mode, on IOS 8.0. The Activation/License was installed on the Primary ASA. Once installed the all failover configuration was removed, and we were left with 2 ASAs running in Active/Active mode. This cause haoc across the network. I would like to go back and recover and reinstall the old activation key. Is this possible?? If so how would I be able to achieve this. Or do I need to ontain a new license key. Ultimately I would like to get back to the stage before instlaling the Anyconnect License, where we had a 2 ASAs running in Active/Standby mode.
Thank you for your help and suggestions.
Cheers
Deena
oput put from sh activation-key detail and sh version
CH-ASA# sh act det
Serial Number: JMX1101K2SU
Permanent Flash Activation Key: 0x370fc559 0x2476a024 0xccc355a4 0xacd81440 0x4110329d
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 2
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
Temporary Flash Activation Key: 0x29249e66 0x500f33dc 0xcd79274e 0x534c7c93 0x81bc53bc
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Disabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 750
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This is a time-based license that will expire in 27 day(s).
Running Activation Key: 0x29249e66 0x500f33dc 0xcd79274e 0x534c7c93 0x81bc53bc
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 750
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5520 VPN Plus license.
This is a time-based license that will expire in 27 day(s).
The flash activation key is the SAME as the running key.
CH-ASA# sh ver
Cisco Adaptive Security Appliance Software Version 8.0(5)
Device Manager Version 6.2(5)53
Compiled on Mon 02-Nov-09 21:22 by builders
System image file is "disk0:/asa805-k8.bin"
Config file at boot was "startup-config"
CH-ASA up 18 hours 30 mins
Hardware: ASA5520-K8, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash AT49LW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: GigabitEthernet0/0 : address is 0019.0665.6dfc, irq 9
1: Ext: GigabitEthernet0/1 : address is 0019.0665.6dfd, irq 9
2: Ext: GigabitEthernet0/2 : address is 0019.0665.6dfe, irq 9
3: Ext: GigabitEthernet0/3 : address is 0019.0665.6dff, irq 9
4: Ext: Management0/0 : address is 0019.0665.6dfb, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 750
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5520 VPN Plus license.
This is a time-based license that will expire in 27 day(s).
Serial Number: JMX1101K2SU
Running Activation Key: 0x29249e66 0x500f33dc 0xcd79274e 0x534c7c93 0x81bc53bc
Configuration register is 0x1
Configuration has not been modified since last system restart.
CH-ASA#If you upgrade your ASA software to a bit more recent image first you can share the AnyConnect license (activation key) across both devices. Otherwise you would need to install a separate activation key on the second unit.
Sent from Cisco Technical Support iPad App -
Cisco asa security context active/active failover
Hi,
I have two Cisco ASA 5515-X appliance running OS version 8.6. I want to configure these two appliance in multiple context mode mode.
Each ASA appliance will have two security context named "ctx1" & "ctx2".
I have to configure failover on these two ASA appliance such that "ctx1" will be active in one ASA box and "ctx2" will be active and process the traffic on second box to achieve this i will configure two failover group 1 & 2. And assign "ctx1" interfaces in failover group 1 and "ctx2" interface to group 2.
I am a reading a book on failover configuration in active/active in that below note is mentioned.
If an interface is used as the shared interface between multiple contexts, then all of those contexts need to be in the same failover redundancy group.
What this means? can someone please explain because i also want to use a shared interface which will be used by "ctx1" & "ctx2". In this case shared interface can be used in failover group 1 & 2 ?
Regards,
NickYout will have to contact [email protected] or open a TAC case in order to have a new activation key generated. They can do that once they confirm your eligibility.
-
How to do nat at active/active asa
Hi i want to learn how to do nat(PAT) at active/active asa. i must be write nat command each context or other way which i do not know?
thanksHi Teymur,
Configuring NAT on an Active/Active pair is the same as any other multi-context ASA. The NAT commands are configured per-context, so you'll just want to login to the appropriate context to configure the commands.
In an Active/Active pair, some contexts are Active on one physical unit, while other contexts are Active on the other physical unit, but that's the only difference. You'll want to make sure you always make changes on the Active version of the context.
Hope that helps.
-Mike -
Hi,
Can we have ASA in Active/ Active in single context mode.
If Active/ Active is possible in single context mode, then in best practices, Active/Active is prefered or Active Standby.
ThanksHi,
ASA Active/Active setup can be done only with multiple context mode, you cannot use it in a single mode.
In a single mode only you can have Active/Standby failover.
Also, please move the question to the Firewall section for more discussions.
Thanks. -
ASA Active/Active Failover with Redundant Guest Anchors
Does anyone know how an ASA and a guest anchor 5508 will interact if I setup an Active/Active failover pair with physical interface redundancy? I see from documentation that I can create a logical group in the ASA to bond physical interfaces together, but it doesn't describe what protocol is being used to manage that bundle. Do I assume etherchannel? If I were to create this scenario, can I run the 5508 in LAG mode?
The current failover configuration example is for PIX, and old code at that. I'm referencing an ASA/PIX guide ISBN:1-58705-819-7 beginning on page 531.
Regards,
ScottIn addition to what you have, you should add to each unit the global configuration command "failover".
We generally don't manually configure the MAC addresses in single context mode since the ASA ill automatically assign virtual MAC addresses and manage their moving to the newly active unit in the event of a failover event. Reference. -
Cisco Access Registrar 5 : What design or requirements for active/ active deploiement
Hi Every one
I want to install Cisco Access Registrar 5 on two different servers in active/ active design
What design or requirements for active/ active deploiement ?
Using Sun Solaris ? (i know using sun Sloaris i can have this mode of high availability BUT I PREFER INSTALLING IT ON RED HAT ENTERPRISE )
Using RED HAT ENTERPRISE on the two servers ? i wan to knew if i must use Vmware with the adequate licences (Vcenter) to provide FT fonctionnality for active / active Design ?
How i can use the replication to provide a complet active / active Design ?
Cordialement
Zammit IkbelIt depends what functionalities you want to use on CAR.
For example:
If only plain authentication is needed, you can install two servers independently and just configure replication between them (they just need IP visibility to replicate configuration). NAS clients can contact servers in round-robin or you can share load on two servers in some other way.
If you want CAR to perform session management and dynamic IP address allocation, than you need some cluster solution, as two servers must have synchronized state of sessions and consistent administration of addresses allocated from a pool.
Best regards,
Jasmina -
ASA active/active failover back to back
Hi,
for HA I want to connect 4 ASA's in active/active failover with each ASA having two contexts.
The reason I need this is to separate two domains. Each domain has the ASA pair in active/active failover.
Is this possible and what would you need to do it ie a switch or two in between ?
I know you need switches or vlans to do the LAN side as the failover context needs to be in the same network. So I'm assuming you would need to do something similar between the 4 ASA's ???
Would you put 2 switches trunked together carrying two vlans, one for each context ?
-| CTX1 |- ? -| CTX1 |-
-| CTX2 |- ? -| CTX2 |-
| | | |
-| CTX1 |- ? -| CTX1 |-
-| CTX2 |- ? -| CTX2 |-
Thanks in advance.Your latest attachment is pretty close to what I was thinking.
I would add a second interface on each ASA to the switches.
So (considering the "Inside" interfaces of ASA1 for example) it would have one physical interface allocated to context 1 and connected to a port in VLAN2 and a second physical interface allocated to context 2 and connected to a port in VLAN 3.
An alternative would be to stick with a single physical interface and allocate subinterfaces (on a trunk) to each context.
You could further add redundancy by creating Etherchannels (with either the physical or logical interface approach). -
Active/Active ASA in GNS3?????
Hi,
How can I run ACTIVE/ACTIVE firewall in GNS3??
I tried in google and FB groups but didnt get answer that works.
So,I did finally multimode option in ASA but then I couldnt config IP addresses on interfaces!!!!
Thanks in advance.
Bye,Hello Anand,
It should work, I have done it
Make sure you have the licenses to run it,
Regards
Remember to rate all of the helpful posts.
For this community that's as important as a thanks. -
Asa active/active questions
if i have asa's configured as active/active;
1. Is this situation treated as one? I mean can i manage this only with IDM?
2. The 5520 can have 130,000 connections. If i am using 2 of this which is config active/active, can i say that am having 130,000X2=260,000 connections?
thanks.1. In ASA, Active/Active can only be acrhived when both ASA is in Multiple Context Mode (Security Context). Multiple Context logically divides the ASA into multiple virtual firewall. You can refer to following configuration example.
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008063b316.html#wp1035787
In your case, you need to create 2 context in each ASA, say Context-A and Context-B. In ASA-1, it should be active for Context-A and standby for Context-B. While in ASA-2, it should be standby in Context-A and active for Context-B. You should be have seperate set of configuration for each Context.
To manage the configuration, you can use ASDM.
2. I am sorry, I don't know that -
ASA Active/Active Configuration
Dear All,
In configuring Active/Active mode of ASA, most examples are stating using
2 customers for Active/Active. If I only get 1 customer with 4 interfaces as
following:
1) Outside
2) Inside
3) DMZ
4) VPN
Can I still use the Active/Active mode?
If so, then how to allocate the interfaces to the 2 failover groups? Let
assume:
Failover group 1: Outside and DMZ
Failover group 2: VPN and Inside
That means ASA_A is primary of Group1, while ASA_B is primary of Group2. If
so, is the traffic between Outside and Inside has problem? Since they are
crossing the 2 failover group on the 2 ASA.
Please correct me and my assumption. A sample configuration would be much appreciate.
Thanks in advance.
Br,
SamThank you for the reply Jennifer.
I was reffering to the following document:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1091405
Failure Event
Policy
Active Action
Standby Action
Notes
Failover link failed during operation
No failover
Mark failover interface as failed
Mark failover interface as failed
You should restore the failover link as soon as possible because the unit cannot fail over to the standby unit while the failover link is down.
Stateful Failover link failed
No failover
No action
No action
State information becomes out of date, and sessions are terminated if a failover occurs.
I think I should rephrase question 2) If I have two seperate links for Failover and Stateful failover, will that fix my problem?
How can I configure seperate Failover and Stateful failover links? If I understand correctly, they are more than just redundant links.
Sorry I didn't accurately phrase my original post.
Thank you -
Can two ASA build up a loadbalance such as active/active mode ?
Hi, Professionals
I am wondering if two ASA be able to build up a loadbalance such as active/active mode, balance the traffic, ?
thanks in advance,
YangYes, running the ASA's in active/active is so you can load balance traffic. Here's a link with more information.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
Hope it helps. -
Hi Folks,
I have a requirement to design and Build the sqlserver 2005 cluster across two data centers .Typically
the design would look like:
1) Create a 2 node sqlserver 2005 cluster active/active in production.
2) Create a 1 node active instance in DR.
Can you please explain how to Build the sqlserver 2005 active/active 2 node cluster in the production site.
on the other hand i am thinking of setting a log shipping to DR from the sqlserver instance in prod.
Thankshttp://www.mssqltips.com/sqlservertip/1554/sql-server-clustering-active-vs-passive/
Best Regards,Uri Dimant SQL Server MVP,
http://sqlblog.com/blogs/uri_dimant/
MS SQL optimization: MS SQL Development and Optimization
MS SQL Consulting:
Large scale of database and data cleansing
Remote DBA Services:
Improves MS SQL Database Performance
SQL Server Integration Services:
Business Intelligence -
Radius auth to standby ASA in Active Active Failover
Hi Everyone,
When ASA is in Active/standby failover i can ssh to standby ASA using Radius.
But when ASA is in multi context mode Active/Active failover i can not do Radius Auth to standby ASA?
Is this default behaviour?
Regards
MAheshI would not have thought this is the default behavior...but then again, I have never tested this. If you console into the standby context issue the command show run | in aaa. Which authentication database is indicated?
Please remember to select a correct answer and rate helpful posts
Maybe you are looking for
-
Hi all, I have some documents in document library with versioning ON. When i unpublish a document( in Source Library) i have to move that current version to other library(Destination Library). And i need to update a column (status) in Source as 'Unpu
-
Hey I have installed i tunes in windows 7 and I am unable to see the menu titles, can any one tell me the sollution
-
Hi I Need VDS script in order to change domain client local administrator password in my domain ,and put this script in startup script via group policy, but for security purpose I want to randomize local administrator password and log new password s
-
Can I transfer progress from the apps on my iPod touch 4g to my iPhone 4s?
I just bought an iPhone 4s and I have had an iPod Touch 4g for a couple of months. I have downloaded many apps to my iPod and I have many gaming apps and I want to know how I can transfer the progress from the games from my iPod touch to my new iPhon
-
Legacy tab missing (garageband)
Hey guys, I recently purchased a new macbook, and i no longer have a legacy tab in my garageband. After doing some searching here, it seems the solution would be to re-install a legacy version of garageband on my new machine. The problem is that the