Asa active/active questions

if i have asa's configured as active/active;
1. Is this situation treated as one? I mean can i manage this only with IDM?
2. The 5520 can have 130,000 connections. If i am using 2 of this which is config active/active, can i say that am having 130,000X2=260,000 connections?
thanks.

1. In ASA, Active/Active can only be acrhived when both ASA is in Multiple Context Mode (Security Context). Multiple Context logically divides the ASA into multiple virtual firewall. You can refer to following configuration example.
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008063b316.html#wp1035787
In your case, you need to create 2 context in each ASA, say Context-A and Context-B. In ASA-1, it should be active for Context-A and standby for Context-B. While in ASA-2, it should be standby in Context-A and active for Context-B. You should be have seperate set of configuration for each Context.
To manage the configuration, you can use ASDM.
2. I am sorry, I don't know that

Similar Messages

  • Asa in active/active vpn solution licensing question

    Hello All
    I have a customer with the following requirements:
    1) A Cisco VPN Solution that will be support SSL VPN and Cisco Client VPN - The  solution will be a failover configuration running in an active-active set up.  The solution offered will be fully supported (i.e. it will not go into End of  Life or and lower level of support etc) by Cisco for the next 5 Years.
    a. We  would expect the devices to be similar to the ASA 5520 Appliance with  SW,HA,$GE+1FE,£DES/AES (Including ASA 5500 Advanced Endpoint ASS)
    2) User  licenses for the above - Please quote for both the following
    a. 500 appropriate SSL VPN User Licenses
    b. 250  appropriate SSL VPN User Licenses
    I am quoting them for the 500 ssl vpn bundle
    ASA5520-SSL500-K9 and for the
    ASA5520-BUN-K9.
    Is it right that in active/active  software 8.3 and above that the 500 ssl vpn licenses will be shared between the 2 asa's or will I need to have 250 licenses on each asa.
    Also I have read that in active/active I cannot use shared licenses, is this relevant in a vpn solution?
    http://www.cisco.com/en/US/docs/security/asa/asa84/license/license_management/license_86.html#wp2003381
    Url above has this “The  backup server mechanism is separate from, but compatible with,  failover.
    Shared  licenses are supported only in single context mode, so Active/Active failover is  not supported.”
    Also “Failover  Guidelines
    •Shared licenses are not supported in Active/Active mode. See the "Failover  and Shared Licenses" section for more  information.
    I also need to purchase the
    ASA-ADV-END-SEC and
    ASA-AC-M-5520 (any connect mobile) as the vpn client is eos/eol.
    Do I need to buy this for both asa's or can they share them in active/active mode.
    Thanks in advance.
    Feisal

    Hi Vibhor and thanks for the quick reply. We will be using version 9.3. I was aware that the ASA does not support PBR but I thought with the new code you could do some policy nat that could help influence the outbound flow?
    So in this case we have 2x ISPs and 2x public address space, one from each ISP. How is the NAT and routing handled by the ASA in this design?
    Can I not identify the guest subnet (192.168.0.0/22) and NAT this to a public address from ISP1 and also identify the corp subnets (10.x.x.x)  and NAT them to ISP2?
    My understanding (which is probably wrong) is that the NAT will select the egress interface rather than the routing table, so guest will be sent via ISP1 since the SVI interface of the ASA that connects to this ISP1 has an IP address from the same public address space..?
    Is that incorrect?
    Many thanks
    Rays

  • ASA 8.4 transparent mode active/active questions

    Hi, currently i'm trying to create network design which uses two 5585-X in transparent mode with active/active load balancing (with states), but i have some questions:
    1. Do i need to configure asr-groups in transparent mode? What will happen if my packet (or now more accurately frame) will return to the standby context of one device, while the initial packet passed through active context on the another device (contexts are in the same group but on different physical devices)?
    2. In 8.4 we received new feature called BVI interfaces. How this feature integrates with failover functionality? Can we now use multiple BVI bridge groups for multiple vlans (instead of bridging a single pair of vlans in single context)?
    3. When implementing active/active load balancing with BVIs do we still need to use multiple context mode?
    Thanks for your replies

    Hello,
    1. Do i need to configure asr-groups in transparent mode? What will happen if my packet (or now more accurately frame) will return to the standby context of one device, while the initial packet passed through active context on the another device (contexts are in the same group but on different physical devices)?
    You only need to configure ASR groups if your routing environment would match the scenario you outlined (a return packet arrives at the unit running the Standby context).
    2. In 8.4 we received new feature called BVI interfaces. How this feature integrates with failover functionality? Can we now use multiple BVI bridge groups for multiple vlans (instead of bridging a single pair of vlans in single context)?
    You can configure up to 8 bridge groups per context to achieve this.
    3. When implementing active/active load balancing with BVIs do we still need to use multiple context mode?
    Active/Active failover is only possible in multiple context mode.
    Hope that helps.
    -Mike

  • Cisco ASA Active/ Active

    Hi,
    Can we have ASA in  Active/ Active in single context mode.
    If Active/ Active is  possible in single context mode, then in best practices, Active/Active is  prefered or Active Standby.
    Thanks

    Hi,
    ASA Active/Active setup can be done only with multiple context mode, you cannot use it in a single mode.
    In a single mode only you can have Active/Standby failover.
    Also, please move the question to the Firewall section for more discussions.
    Thanks.

  • ASA Active/Active Configuration

    Dear All,
    In configuring Active/Active mode of ASA, most examples are stating using
    2 customers for Active/Active. If I only get 1 customer with 4 interfaces as
    following:
    1) Outside
    2) Inside
    3) DMZ
    4) VPN
    Can I still use the Active/Active mode?
    If so, then how to allocate the interfaces to the 2 failover groups? Let
    assume:
    Failover group 1: Outside and DMZ
    Failover group 2: VPN and Inside
    That means ASA_A is primary of Group1, while ASA_B is primary of Group2. If
    so, is the traffic between Outside and Inside has problem? Since they are
    crossing the 2 failover group on the 2 ASA.
    Please correct me and my assumption. A sample configuration would be much appreciate.
    Thanks in advance.
    Br,
    Sam

    Thank you for the reply Jennifer.
    I was reffering to the following document:
    http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1091405
    Failure Event
    Policy
    Active Action
    Standby Action
    Notes
    Failover link failed during operation
    No failover
    Mark failover interface as failed
    Mark failover interface as failed
    You should restore the failover link as soon as possible because the unit cannot fail over to the standby unit while the failover link is down.
    Stateful Failover link failed
    No failover
    No action
    No action
    State information becomes out of date, and sessions are terminated if a failover occurs.
    I think I should rephrase question 2) If I have two seperate links for Failover and Stateful failover, will that fix my problem?
    How can I configure seperate Failover and Stateful failover links? If I understand correctly, they are more than just redundant links.
    Sorry I didn't accurately phrase my original post.
    Thank you

  • ASA 5520 Activation Key Help

    Hi All,
    we recently installed a activaiton key for the Anyconnect License on our ASA 5520. We have a pair runnning, in Active/Standby mode, on IOS 8.0. The Activation/License was installed on the Primary ASA. Once installed the all failover configuration was removed, and we were left with 2 ASAs running in Active/Active mode. This cause haoc across the network. I would like to go back and recover and reinstall the old activation key. Is this possible?? If so how would I be able to achieve this. Or do I need to ontain a new license key. Ultimately I would like to get back to the stage before instlaling the Anyconnect License, where we had a 2 ASAs running in Active/Standby mode.
    Thank you for your help and suggestions.
    Cheers
    Deena
    oput put from sh activation-key detail and sh version
    CH-ASA# sh act det
    Serial Number:  JMX1101K2SU
    Permanent Flash Activation Key: 0x370fc559 0x2476a024 0xccc355a4 0xacd81440 0x4110329d
    Licensed features for this platform:
    Maximum Physical Interfaces  : Unlimited
    Maximum VLANs                : 150
    Inside Hosts                 : Unlimited
    Failover                     : Active/Active
    VPN-DES                      : Enabled
    VPN-3DES-AES                 : Enabled
    Security Contexts            : 2
    GTP/GPRS                     : Disabled
    VPN Peers                    : 750
    WebVPN Peers                 : 2
    AnyConnect for Mobile        : Disabled
    AnyConnect for Linksys phone : Disabled
    Advanced Endpoint Assessment : Disabled
    UC Proxy Sessions            : 2
    Temporary Flash Activation Key: 0x29249e66 0x500f33dc 0xcd79274e 0x534c7c93 0x81bc53bc
    Licensed features for this platform:
    Maximum Physical Interfaces  : Unlimited
    Maximum VLANs                : 150
    Inside Hosts                 : Unlimited
    Failover                     : Active/Active
    VPN-DES                      : Enabled
    VPN-3DES-AES                 : Disabled
    Security Contexts            : 2
    GTP/GPRS                     : Disabled
    VPN Peers                    : 750
    WebVPN Peers                 : 750
    AnyConnect for Mobile        : Disabled
    AnyConnect for Linksys phone : Disabled
    Advanced Endpoint Assessment : Disabled
    UC Proxy Sessions            : 2
    This is a time-based license that will expire in 27 day(s).
    Running Activation Key: 0x29249e66 0x500f33dc 0xcd79274e 0x534c7c93 0x81bc53bc
    Licensed features for this platform:
    Maximum Physical Interfaces  : Unlimited
    Maximum VLANs                : 150
    Inside Hosts                 : Unlimited
    Failover                     : Active/Active
    VPN-DES                      : Enabled
    VPN-3DES-AES                 : Enabled
    Security Contexts            : 2
    GTP/GPRS                     : Disabled
    VPN Peers                    : 750
    WebVPN Peers                 : 750
    AnyConnect for Mobile        : Disabled
    AnyConnect for Linksys phone : Disabled
    Advanced Endpoint Assessment : Disabled
    UC Proxy Sessions            : 2
    This platform has an ASA 5520 VPN Plus license.
    This is a time-based license that will expire in 27 day(s).
    The flash activation key is the SAME as the running key.
    CH-ASA# sh ver
    Cisco Adaptive Security Appliance Software Version 8.0(5)
    Device Manager Version 6.2(5)53
    Compiled on Mon 02-Nov-09 21:22 by builders
    System image file is "disk0:/asa805-k8.bin"
    Config file at boot was "startup-config"
    CH-ASA up 18 hours 30 mins
    Hardware:   ASA5520-K8, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
    Internal ATA Compact Flash, 256MB
    BIOS Flash AT49LW080 @ 0xffe00000, 1024KB
    Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                                 Boot microcode   : CN1000-MC-BOOT-2.00
                                 SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                                 IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05
    0: Ext: GigabitEthernet0/0  : address is 0019.0665.6dfc, irq 9
    1: Ext: GigabitEthernet0/1  : address is 0019.0665.6dfd, irq 9
    2: Ext: GigabitEthernet0/2  : address is 0019.0665.6dfe, irq 9
    3: Ext: GigabitEthernet0/3  : address is 0019.0665.6dff, irq 9
    4: Ext: Management0/0       : address is 0019.0665.6dfb, irq 11
    5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11
    6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
    Licensed features for this platform:
    Maximum Physical Interfaces  : Unlimited
    Maximum VLANs                : 150
    Inside Hosts                 : Unlimited
    Failover                     : Active/Active
    VPN-DES                      : Enabled
    VPN-3DES-AES                 : Enabled
    Security Contexts            : 2
    GTP/GPRS                     : Disabled
    VPN Peers                    : 750
    WebVPN Peers                 : 750
    AnyConnect for Mobile        : Disabled
    AnyConnect for Linksys phone : Disabled
    Advanced Endpoint Assessment : Disabled
    UC Proxy Sessions            : 2
    This platform has an ASA 5520 VPN Plus license.
    This is a time-based license that will expire in 27 day(s).
    Serial Number: JMX1101K2SU
    Running Activation Key: 0x29249e66 0x500f33dc 0xcd79274e 0x534c7c93 0x81bc53bc
    Configuration register is 0x1
    Configuration has not been modified since last system restart.
    CH-ASA#

    If you upgrade your ASA software to a bit more recent image first you can share the AnyConnect license (activation key) across both devices. Otherwise you would need to install a separate activation key on the second unit.
    Sent from Cisco Technical Support iPad App

  • Cisco asa security context active/active failover

    Hi,                  
    I have two Cisco ASA 5515-X appliance running OS version 8.6. I want to configure these two appliance in multiple context mode mode.
    Each ASA appliance will have two security context named "ctx1" & "ctx2".
    I have to configure failover on these two ASA appliance such that "ctx1" will be active in one ASA box and "ctx2" will be active and process the traffic on second box to achieve this i will configure two failover group 1 & 2. And assign "ctx1" interfaces in failover group 1 and "ctx2" interface to group 2.
    I am a reading a book on failover configuration in active/active in that below note is mentioned.
    If an interface is used as the shared interface between multiple contexts, then all of those contexts need to be in the same failover redundancy group.
    What this means? can someone please explain because i also want to use a shared interface which will be used by "ctx1" & "ctx2". In this case shared interface can be used in failover group 1 & 2 ?
    Regards,
    Nick

    Yout will have to contact [email protected] or open a TAC case in order to have a new activation key generated. They can do that once they confirm your eligibility.

  • How to do nat at active/active asa

    Hi i want to learn how to do nat(PAT) at active/active asa. i must be write nat command each context or other way which i do not know?
    thanks

    Hi Teymur,
    Configuring NAT on an Active/Active pair is the same as any other multi-context ASA. The NAT commands are configured per-context, so you'll just want to login to the appropriate context to configure the commands.
    In an Active/Active pair, some contexts are Active on one physical unit, while other contexts are Active on the other physical unit, but that's the only difference. You'll want to make sure you always make changes on the Active version of the context.
    Hope that helps.
    -Mike

  • ASA Active/Active Failover with Redundant Guest Anchors

    Does anyone know how an ASA and a guest anchor 5508 will interact if I setup an Active/Active failover pair with physical interface redundancy?  I see from documentation that I can create a logical group in the ASA to bond physical interfaces together, but it doesn't describe what protocol is being used to manage that bundle.  Do I assume etherchannel?  If I were to create this scenario, can I run the 5508 in LAG mode?
    The current failover configuration example is for PIX, and old code at that.  I'm referencing an ASA/PIX guide ISBN:1-58705-819-7 beginning on page 531.
    Regards,
    Scott

    In addition to what you have, you should add to each unit the global configuration command "failover".
    We generally don't manually configure the MAC addresses in single context mode since the ASA ill automatically assign virtual MAC addresses and manage their moving to the newly active unit in the event of a failover event. Reference.

  • ASA active/active failover back to back

    Hi,
          for HA  I want to connect 4 ASA's in active/active failover with each ASA having two contexts.
    The reason I need this is to separate two domains. Each domain has the ASA pair in active/active failover.
    Is this possible and what would you need to do it  ie a switch or two in between ?
    I know you need switches or vlans to do the LAN side as the failover context needs to be in the same network. So I'm assuming you would need to do something similar between the 4 ASA's ???
    Would you put 2 switches trunked together carrying two vlans, one for each context ?
              -| CTX1 |-          ?         -| CTX1 |-
              -| CTX2 |-          ?         -| CTX2 |-
                   |  |                                |  |
              -| CTX1 |-          ?         -| CTX1 |-
              -| CTX2 |-          ?         -| CTX2 |-
    Thanks in advance.

    Your latest attachment is pretty close to what I was thinking.
    I would add a second interface on each ASA to the switches.
    So (considering the "Inside" interfaces of ASA1 for example) it would have one physical interface allocated to context 1 and connected to a port in VLAN2 and a second physical interface allocated to context 2 and connected to a port in VLAN 3.
    An alternative would be to stick with a single physical interface and allocate subinterfaces (on a trunk) to each context.
    You could further add redundancy by creating Etherchannels (with either the physical or logical interface approach).

  • Active/Active ASA in GNS3?????

    Hi,
    How can I run ACTIVE/ACTIVE firewall in GNS3??
    I tried in google and FB groups but didnt get answer that works.
    So,I did finally multimode option in ASA but then I couldnt config IP addresses on interfaces!!!!
    Thanks in advance.
    Bye,

    Hello Anand,
    It should work, I have done it
    Make sure you have the licenses to run it,
    Regards
    Remember to rate all of the helpful posts.
    For this community that's as important as a thanks.

  • Can two ASA build up a loadbalance such as active/active mode ?

    Hi, Professionals
    I am wondering if two ASA be able to build up a loadbalance such as active/active mode, balance the traffic, ?
    thanks in advance,
    Yang

    Yes, running the ASA's in active/active is so you can load balance traffic. Here's a link with more information.
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
    Hope it helps.

  • ASA active active design

    Hi
    I configurate ASA's in active active mode. I create 10 context's in Primary ASA. 5 context are in group1 in ASA1 and 5 conetexts are in group2 in ASA2.
    The problem assign ip address to outside interface of context's.
    I use int gi0/0 and gi0/1 for outside interfaces. 5 contexts are in gi0/0 and 5 contexts are in gi0/1 interface.
    gi0/2-gi0/6 for inside interface.
    I create subinterface in inside interfaces and assign different vlan. In different conetext give different subnet. That is ok.
    The issue is:
    i want to use the same subnet but differen ip for outside interface of context's. is it possible?  I configurate eigrp protocol in Context's.
    Thanks.

    Dears
    i find the documentation
    http://www9.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml#mul
    But this is version 7.x
    Assign the Same IP Address to the Shared Interfaces in the Multiple Context Mode
    Assigning the same IP address to the shared interface is not possible. A shared interface over multiple contexts allows us to simulate virtual firewalls over the same LAN segment. When the same IP address is assigned to the shared interface, for example shared over multiple contexts, it gives an IP address conflict error. The ASA will not allow this configuration because of the ARP issue between the contexts for the same IP address.
    The error is shown here for your reference: ERROR: This address conflicts with another address on net.
    Here is wroten that same ip address but i want to configurate same subnet but different ip address. is it possible?
    i use 9.1 version in ASA's

  • Radius auth to standby ASA in Active Active Failover

    Hi Everyone,
    When ASA is in Active/standby failover i can ssh to standby ASA using Radius.
    But when ASA is in multi context mode  Active/Active failover i can not do Radius Auth to standby ASA?
    Is this default behaviour?
    Regards
    MAhesh

    I would not have thought this is the default behavior...but then again, I have never tested this.  If you console into the standby context issue the command show run | in aaa.  Which authentication database is indicated?
    Please remember to select a correct answer and rate helpful posts

  • ASA Expert Wanted | Active Active Failover Requirment

    Hello Everyone,
    We have two new ASA5515-X and im currently in planning phase of its deployment. Not sure if ASA can support these requirments
    Here’s what we need to have in place
    A. During normal operation, wherein both ASAs and ISPs are operational.
    1. By default all traffic will be routed out through ASA1's interface g1 (outside) and some defined traffic will be routed out through ASA2's interface g2 (backup)
    2. All incoming ISP1 traffic will be handled by ASA1's interface g1
    3. All incoming ISP2 traffic will be handled by ASA2's interface g2
    B. ASA1 failure, ASA2 and both ISPs are operational
    1. By default all traffic will be routed out through ASA2's intergace g1 (outside) and some defined traffic will be routed out through ASA2's interface g2 (backup)
    2. All incoming ISP1 traffic will be handled by ASA2's interface g1
    3. All incoming ISP2 traffic will be handled by ASA2's interface g2
    C. ASA2 failure, ASA1 and both ISPs are operational
    1. By default all traffic will be routed out through ASA1's intergace g1 (outside) and some defined traffic will be routed out through ASA1's interface g2 (backup)
    2. All incoming ISP1 traffic will be handled by ASA1's interface g1
    3. All incoming ISP2 traffic will be handled by ASA1's interface g2
    D. ISP1 failure, both ASAs and ISP2 are operational
    1. All traffic will be handled by ASA2's interface g2 (backup)
    E. ISP2 failure, both ASAs and ISP1 are operational
    1. All traffic will be handled by ASA1's interface g1 (outside)
    F. Item D + ASA2 failure
    1. All traffic will be handled by ASA1's interface g2 (backup)
    G. Item E + ASA1 failure
    1. All traffic will be handled by ASA2's interface g1 (outside)
    Note:
    InterfaceG1 is nameif'ed outside and is connected to ISP1
    InterfaceG2 is nameif'ed backup and is connected to ISP2
    Also, as a follow up, per my initial findings I need to enable multiple context to achieve what us required. But we also need a VPN redundancy and failover. But I red somewhere that VPN is not supported in multiple context mode. This is in software version 8.x I think. Does software version 9.x already supports VPN in multi context mode? If not, what approach would you suggest to address these requirement?
    Here's daigram of what im thinking
    Your inputs is highly appreciated
    Thanks everyone !

    One challenge in your scenario is to distribute the traffic to the right context. The internal network sees two gateways to the outside world and has to use the right gateway. In Active/Active that is not as easy as with Active/Standby.
    the ASA9 supports VPN in A/A, but only site-to-site, no remote access.
    Most of your requirements are possible with A/S which is much easier to implement. Only the part "some traffic to backup" is problematic if that is not based on the destination-address as the ASA doesn't have policy based routing.
    Sent from Cisco Technical Support iPad App

Maybe you are looking for

  • Problem with multiple users sharing a single library

    We have a family iMac. I am the only one with Admin privileges. I want to share my iTunes music folder with the other users so we don't end up replicating all the MP3 files. I put the music folder in my Public directory and the other users can see it

  • Operating system windows 8

    I have a 2 year old HP envy 17 running windows 8. I clicked something pop up and after that my metro apps are gone, all pictures and saved documents are gone. I did some research and did restart/refresh but not working apps are not back still. And so

  • Safari is not displaying parts of web pages and will not print pdfs

    I am using a MacBook Pro running OSX 10.8.3 and Safari 6.0.3.  Web pages are sometimes missing elements.  Pdfs often do not display correctly and when I try to print them there is nothing there.  This started to happen before upgrading to 10.8.3.  An

  • Mail stuck in "Mailbox Database ..." queue

    Hi guys In our organization we have an Exchange Server 2013 CU6 with both server roles CAS and Mailbox installed (absolutely fresh deployment). Users from AD have successfully been assigned mailboxes. The authoritative domain of the server is set cor

  • Error in copy view enhancement ...

    Hi, I am getting one URL error when I am enhancing one view copy from standard view. I copy ActIEFJournal  view from BT127I_ACTI component and make a Zview. Now when I am enhancing this Zview I am geting this URL error. Cannot display view BT127I_ACT