ASA active active design

Similar Messages

• Asa in active/active vpn solution licensing question

  Hello All
  I have a customer with the following requirements:
  1) A Cisco VPN Solution that will be support SSL VPN and Cisco Client VPN - The  solution will be a failover configuration running in an active-active set up.  The solution offered will be fully supported (i.e. it will not go into End of  Life or and lower level of support etc) by Cisco for the next 5 Years.
  a. We  would expect the devices to be similar to the ASA 5520 Appliance with  SW,HA,$GE+1FE,£DES/AES (Including ASA 5500 Advanced Endpoint ASS)
  2) User  licenses for the above - Please quote for both the following
  a. 500 appropriate SSL VPN User Licenses
  b. 250  appropriate SSL VPN User Licenses
  I am quoting them for the 500 ssl vpn bundle
  ASA5520-SSL500-K9 and for the
  ASA5520-BUN-K9.
  Is it right that in active/active  software 8.3 and above that the 500 ssl vpn licenses will be shared between the 2 asa's or will I need to have 250 licenses on each asa.
  Also I have read that in active/active I cannot use shared licenses, is this relevant in a vpn solution?
  http://www.cisco.com/en/US/docs/security/asa/asa84/license/license_management/license_86.html#wp2003381
  Url above has this “The  backup server mechanism is separate from, but compatible with,  failover.
  Shared  licenses are supported only in single context mode, so Active/Active failover is  not supported.”
  Also “Failover  Guidelines
  •Shared licenses are not supported in Active/Active mode. See the "Failover  and Shared Licenses" section for more  information.
  I also need to purchase the
  ASA-ADV-END-SEC and
  ASA-AC-M-5520 (any connect mobile) as the vpn client is eos/eol.
  Do I need to buy this for both asa's or can they share them in active/active mode.
  Thanks in advance.
  Feisal

  Hi Vibhor and thanks for the quick reply. We will be using version 9.3. I was aware that the ASA does not support PBR but I thought with the new code you could do some policy nat that could help influence the outbound flow?
  So in this case we have 2x ISPs and 2x public address space, one from each ISP. How is the NAT and routing handled by the ASA in this design?
  Can I not identify the guest subnet (192.168.0.0/22) and NAT this to a public address from ISP1 and also identify the corp subnets (10.x.x.x)  and NAT them to ISP2?
  My understanding (which is probably wrong) is that the NAT will select the egress interface rather than the routing table, so guest will be sent via ISP1 since the SVI interface of the ASA that connects to this ISP1 has an IP address from the same public address space..?
  Is that incorrect?
  Many thanks
  Rays

• ASA 5520 Activation Key Help

  Hi All,
  we recently installed a activaiton key for the Anyconnect License on our ASA 5520. We have a pair runnning, in Active/Standby mode, on IOS 8.0. The Activation/License was installed on the Primary ASA. Once installed the all failover configuration was removed, and we were left with 2 ASAs running in Active/Active mode. This cause haoc across the network. I would like to go back and recover and reinstall the old activation key. Is this possible?? If so how would I be able to achieve this. Or do I need to ontain a new license key. Ultimately I would like to get back to the stage before instlaling the Anyconnect License, where we had a 2 ASAs running in Active/Standby mode.
  Thank you for your help and suggestions.
  Cheers
  Deena
  oput put from sh activation-key detail and sh version
  CH-ASA# sh act det
  Serial Number:  JMX1101K2SU
  Permanent Flash Activation Key: 0x370fc559 0x2476a024 0xccc355a4 0xacd81440 0x4110329d
  Licensed features for this platform:
  Maximum Physical Interfaces  : Unlimited
  Maximum VLANs                : 150
  Inside Hosts                 : Unlimited
  Failover                     : Active/Active
  VPN-DES                      : Enabled
  VPN-3DES-AES                 : Enabled
  Security Contexts            : 2
  GTP/GPRS                     : Disabled
  VPN Peers                    : 750
  WebVPN Peers                 : 2
  AnyConnect for Mobile        : Disabled
  AnyConnect for Linksys phone : Disabled
  Advanced Endpoint Assessment : Disabled
  UC Proxy Sessions            : 2
  Temporary Flash Activation Key: 0x29249e66 0x500f33dc 0xcd79274e 0x534c7c93 0x81bc53bc
  Licensed features for this platform:
  Maximum Physical Interfaces  : Unlimited
  Maximum VLANs                : 150
  Inside Hosts                 : Unlimited
  Failover                     : Active/Active
  VPN-DES                      : Enabled
  VPN-3DES-AES                 : Disabled
  Security Contexts            : 2
  GTP/GPRS                     : Disabled
  VPN Peers                    : 750
  WebVPN Peers                 : 750
  AnyConnect for Mobile        : Disabled
  AnyConnect for Linksys phone : Disabled
  Advanced Endpoint Assessment : Disabled
  UC Proxy Sessions            : 2
  This is a time-based license that will expire in 27 day(s).
  Running Activation Key: 0x29249e66 0x500f33dc 0xcd79274e 0x534c7c93 0x81bc53bc
  Licensed features for this platform:
  Maximum Physical Interfaces  : Unlimited
  Maximum VLANs                : 150
  Inside Hosts                 : Unlimited
  Failover                     : Active/Active
  VPN-DES                      : Enabled
  VPN-3DES-AES                 : Enabled
  Security Contexts            : 2
  GTP/GPRS                     : Disabled
  VPN Peers                    : 750
  WebVPN Peers                 : 750
  AnyConnect for Mobile        : Disabled
  AnyConnect for Linksys phone : Disabled
  Advanced Endpoint Assessment : Disabled
  UC Proxy Sessions            : 2
  This platform has an ASA 5520 VPN Plus license.
  This is a time-based license that will expire in 27 day(s).
  The flash activation key is the SAME as the running key.
  CH-ASA# sh ver
  Cisco Adaptive Security Appliance Software Version 8.0(5)
  Device Manager Version 6.2(5)53
  Compiled on Mon 02-Nov-09 21:22 by builders
  System image file is "disk0:/asa805-k8.bin"
  Config file at boot was "startup-config"
  CH-ASA up 18 hours 30 mins
  Hardware:   ASA5520-K8, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
  Internal ATA Compact Flash, 256MB
  BIOS Flash AT49LW080 @ 0xffe00000, 1024KB
  Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                               Boot microcode   : CN1000-MC-BOOT-2.00
                               SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                               IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05
  0: Ext: GigabitEthernet0/0  : address is 0019.0665.6dfc, irq 9
  1: Ext: GigabitEthernet0/1  : address is 0019.0665.6dfd, irq 9
  2: Ext: GigabitEthernet0/2  : address is 0019.0665.6dfe, irq 9
  3: Ext: GigabitEthernet0/3  : address is 0019.0665.6dff, irq 9
  4: Ext: Management0/0       : address is 0019.0665.6dfb, irq 11
  5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11
  6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
  Licensed features for this platform:
  Maximum Physical Interfaces  : Unlimited
  Maximum VLANs                : 150
  Inside Hosts                 : Unlimited
  Failover                     : Active/Active
  VPN-DES                      : Enabled
  VPN-3DES-AES                 : Enabled
  Security Contexts            : 2
  GTP/GPRS                     : Disabled
  VPN Peers                    : 750
  WebVPN Peers                 : 750
  AnyConnect for Mobile        : Disabled
  AnyConnect for Linksys phone : Disabled
  Advanced Endpoint Assessment : Disabled
  UC Proxy Sessions            : 2
  This platform has an ASA 5520 VPN Plus license.
  This is a time-based license that will expire in 27 day(s).
  Serial Number: JMX1101K2SU
  Running Activation Key: 0x29249e66 0x500f33dc 0xcd79274e 0x534c7c93 0x81bc53bc
  Configuration register is 0x1
  Configuration has not been modified since last system restart.
  CH-ASA#

  If you upgrade your ASA software to a bit more recent image first you can share the AnyConnect license (activation key) across both devices. Otherwise you would need to install a separate activation key on the second unit.
  Sent from Cisco Technical Support iPad App

• Cisco asa security context active/active failover

  Hi,                  
  I have two Cisco ASA 5515-X appliance running OS version 8.6. I want to configure these two appliance in multiple context mode mode.
  Each ASA appliance will have two security context named "ctx1" & "ctx2".
  I have to configure failover on these two ASA appliance such that "ctx1" will be active in one ASA box and "ctx2" will be active and process the traffic on second box to achieve this i will configure two failover group 1 & 2. And assign "ctx1" interfaces in failover group 1 and "ctx2" interface to group 2.
  I am a reading a book on failover configuration in active/active in that below note is mentioned.
  If an interface is used as the shared interface between multiple contexts, then all of those contexts need to be in the same failover redundancy group.
  What this means? can someone please explain because i also want to use a shared interface which will be used by "ctx1" & "ctx2". In this case shared interface can be used in failover group 1 & 2 ?
  Regards,
  Nick

  Yout will have to contact [email protected] or open a TAC case in order to have a new activation key generated. They can do that once they confirm your eligibility.

• How to do nat at active/active asa

  Hi i want to learn how to do nat(PAT) at active/active asa. i must be write nat command each context or other way which i do not know?
  thanks

  Hi Teymur,
  Configuring NAT on an Active/Active pair is the same as any other multi-context ASA. The NAT commands are configured per-context, so you'll just want to login to the appropriate context to configure the commands.
  In an Active/Active pair, some contexts are Active on one physical unit, while other contexts are Active on the other physical unit, but that's the only difference. You'll want to make sure you always make changes on the Active version of the context.
  Hope that helps.
  -Mike

• Cisco ASA Active/ Active

  Hi,
  Can we have ASA in  Active/ Active in single context mode.
  If Active/ Active is  possible in single context mode, then in best practices, Active/Active is  prefered or Active Standby.
  Thanks

  Hi,
  ASA Active/Active setup can be done only with multiple context mode, you cannot use it in a single mode.
  In a single mode only you can have Active/Standby failover.
  Also, please move the question to the Firewall section for more discussions.
  Thanks.

• ASA Active/Active Failover with Redundant Guest Anchors

  Does anyone know how an ASA and a guest anchor 5508 will interact if I setup an Active/Active failover pair with physical interface redundancy?  I see from documentation that I can create a logical group in the ASA to bond physical interfaces together, but it doesn't describe what protocol is being used to manage that bundle.  Do I assume etherchannel?  If I were to create this scenario, can I run the 5508 in LAG mode?
  The current failover configuration example is for PIX, and old code at that.  I'm referencing an ASA/PIX guide ISBN:1-58705-819-7 beginning on page 531.
  Regards,
  Scott

  In addition to what you have, you should add to each unit the global configuration command "failover".
  We generally don't manually configure the MAC addresses in single context mode since the ASA ill automatically assign virtual MAC addresses and manage their moving to the newly active unit in the event of a failover event. Reference.

• Cisco Access Registrar 5 : What design or requirements for active/ active deploiement

  Hi Every one
  I want to install Cisco Access Registrar 5  on two different servers in active/ active design
  What design or requirements for active/ active deploiement ?
  Using Sun Solaris ? (i know using sun Sloaris i can have this mode of high availability BUT I PREFER INSTALLING IT ON  RED HAT ENTERPRISE )
  Using RED HAT ENTERPRISE on the two servers  ?   i wan to knew if i must use Vmware with the adequate licences (Vcenter) to provide FT fonctionnality for active / active Design ?
  How i can use the replication   to provide a complet active / active Design ?
  Cordialement
  Zammit Ikbel

  It depends what functionalities you want to use on CAR.
  For example:
  If only plain authentication is needed, you can install two servers independently and just configure replication between them (they just need IP visibility to replicate configuration). NAS clients can contact servers in  round-robin or you can share load on two servers in some other way.
  If you want CAR to perform session management and dynamic IP address allocation, than you need some cluster solution, as two servers must have synchronized state of sessions and consistent administration of addresses allocated from a pool.
  Best regards,
  Jasmina

• ASA active/active failover back to back

  Hi,
        for HA  I want to connect 4 ASA's in active/active failover with each ASA having two contexts.
  The reason I need this is to separate two domains. Each domain has the ASA pair in active/active failover.
  Is this possible and what would you need to do it  ie a switch or two in between ?
  I know you need switches or vlans to do the LAN side as the failover context needs to be in the same network. So I'm assuming you would need to do something similar between the 4 ASA's ???
  Would you put 2 switches trunked together carrying two vlans, one for each context ?
            -| CTX1 |-          ?         -| CTX1 |-
            -| CTX2 |-          ?         -| CTX2 |-
                 |  |                                |  |
            -| CTX1 |-          ?         -| CTX1 |-
            -| CTX2 |-          ?         -| CTX2 |-
  Thanks in advance.

  Your latest attachment is pretty close to what I was thinking.
  I would add a second interface on each ASA to the switches.
  So (considering the "Inside" interfaces of ASA1 for example) it would have one physical interface allocated to context 1 and connected to a port in VLAN2 and a second physical interface allocated to context 2 and connected to a port in VLAN 3.
  An alternative would be to stick with a single physical interface and allocate subinterfaces (on a trunk) to each context.
  You could further add redundancy by creating Etherchannels (with either the physical or logical interface approach).

• Active/Active ASA in GNS3?????

  Hi,
  How can I run ACTIVE/ACTIVE firewall in GNS3??
  I tried in google and FB groups but didnt get answer that works.
  So,I did finally multimode option in ASA but then I couldnt config IP addresses on interfaces!!!!
  Thanks in advance.
  Bye,

  Hello Anand,
  It should work, I have done it
  Make sure you have the licenses to run it,
  Regards
  Remember to rate all of the helpful posts.
  For this community that's as important as a thanks.

• Asa active/active questions

  if i have asa's configured as active/active;
  1. Is this situation treated as one? I mean can i manage this only with IDM?
  2. The 5520 can have 130,000 connections. If i am using 2 of this which is config active/active, can i say that am having 130,000X2=260,000 connections?
  thanks.

  1. In ASA, Active/Active can only be acrhived when both ASA is in Multiple Context Mode (Security Context). Multiple Context logically divides the ASA into multiple virtual firewall. You can refer to following configuration example.
  http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008063b316.html#wp1035787
  In your case, you need to create 2 context in each ASA, say Context-A and Context-B. In ASA-1, it should be active for Context-A and standby for Context-B. While in ASA-2, it should be standby in Context-A and active for Context-B. You should be have seperate set of configuration for each Context.
  To manage the configuration, you can use ASDM.
  2. I am sorry, I don't know that

• ASA Active/Active Configuration

  Dear All,
  In configuring Active/Active mode of ASA, most examples are stating using
  2 customers for Active/Active. If I only get 1 customer with 4 interfaces as
  following:
  1) Outside
  2) Inside
  3) DMZ
  4) VPN
  Can I still use the Active/Active mode?
  If so, then how to allocate the interfaces to the 2 failover groups? Let
  assume:
  Failover group 1: Outside and DMZ
  Failover group 2: VPN and Inside
  That means ASA_A is primary of Group1, while ASA_B is primary of Group2. If
  so, is the traffic between Outside and Inside has problem? Since they are
  crossing the 2 failover group on the 2 ASA.
  Please correct me and my assumption. A sample configuration would be much appreciate.
  Thanks in advance.
  Br,
  Sam

  Thank you for the reply Jennifer.
  I was reffering to the following document:
  http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1091405
  Failure Event
  Policy
  Active Action
  Standby Action
  Notes
  Failover link failed during operation
  No failover
  Mark failover interface as failed
  Mark failover interface as failed
  You should restore the failover link as soon as possible because the unit cannot fail over to the standby unit while the failover link is down.
  Stateful Failover link failed
  No failover
  No action
  No action
  State information becomes out of date, and sessions are terminated if a failover occurs.
  I think I should rephrase question 2) If I have two seperate links for Failover and Stateful failover, will that fix my problem?
  How can I configure seperate Failover and Stateful failover links? If I understand correctly, they are more than just redundant links.
  Sorry I didn't accurately phrase my original post.
  Thank you

• Can two ASA build up a loadbalance such as active/active mode ?

  Hi, Professionals
  I am wondering if two ASA be able to build up a loadbalance such as active/active mode, balance the traffic, ?
  thanks in advance,
  Yang

  Yes, running the ASA's in active/active is so you can load balance traffic. Here's a link with more information.
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
  Hope it helps.

• Design and build an active/active(prod) and Passive(DR) sqlserver 2005 setup.

  Hi Folks,
  I  have a requirement to design and Build the sqlserver 2005 cluster across two data centers .Typically
  the design would look like:
  1) Create a 2 node sqlserver 2005 cluster active/active in production.
  2) Create a 1 node active instance in DR.
  Can you please explain how  to Build the sqlserver 2005 active/active 2 node cluster in the production site.
  on the other hand i am thinking of setting a log shipping to DR from the sqlserver instance in prod.
  Thanks

  http://www.mssqltips.com/sqlservertip/1554/sql-server-clustering-active-vs-passive/
  Best Regards,Uri Dimant SQL Server MVP,
  http://sqlblog.com/blogs/uri_dimant/
  MS SQL optimization: MS SQL Development and Optimization
  MS SQL Consulting:
  Large scale of database and data cleansing
  Remote DBA Services:
  Improves MS SQL Database Performance
  SQL Server Integration Services:
  Business Intelligence

• Radius auth to standby ASA in Active Active Failover

  Hi Everyone,
  When ASA is in Active/standby failover i can ssh to standby ASA using Radius.
  But when ASA is in multi context mode  Active/Active failover i can not do Radius Auth to standby ASA?
  Is this default behaviour?
  Regards
  MAhesh

  I would not have thought this is the default behavior...but then again, I have never tested this.  If you console into the standby context issue the command show run | in aaa.  Which authentication database is indicated?
  Please remember to select a correct answer and rate helpful posts