ASA Expert Wanted | Active Active Failover Requirment

Hello Everyone,
We have two new ASA5515-X and im currently in planning phase of its deployment. Not sure if ASA can support these requirments
Here’s what we need to have in place
A. During normal operation, wherein both ASAs and ISPs are operational.
1. By default all traffic will be routed out through ASA1's interface g1 (outside) and some defined traffic will be routed out through ASA2's interface g2 (backup)
2. All incoming ISP1 traffic will be handled by ASA1's interface g1
3. All incoming ISP2 traffic will be handled by ASA2's interface g2
B. ASA1 failure, ASA2 and both ISPs are operational
1. By default all traffic will be routed out through ASA2's intergace g1 (outside) and some defined traffic will be routed out through ASA2's interface g2 (backup)
2. All incoming ISP1 traffic will be handled by ASA2's interface g1
3. All incoming ISP2 traffic will be handled by ASA2's interface g2
C. ASA2 failure, ASA1 and both ISPs are operational
1. By default all traffic will be routed out through ASA1's intergace g1 (outside) and some defined traffic will be routed out through ASA1's interface g2 (backup)
2. All incoming ISP1 traffic will be handled by ASA1's interface g1
3. All incoming ISP2 traffic will be handled by ASA1's interface g2
D. ISP1 failure, both ASAs and ISP2 are operational
1. All traffic will be handled by ASA2's interface g2 (backup)
E. ISP2 failure, both ASAs and ISP1 are operational
1. All traffic will be handled by ASA1's interface g1 (outside)
F. Item D + ASA2 failure
1. All traffic will be handled by ASA1's interface g2 (backup)
G. Item E + ASA1 failure
1. All traffic will be handled by ASA2's interface g1 (outside)
Note:
InterfaceG1 is nameif'ed outside and is connected to ISP1
InterfaceG2 is nameif'ed backup and is connected to ISP2
Also, as a follow up, per my initial findings I need to enable multiple context to achieve what us required. But we also need a VPN redundancy and failover. But I red somewhere that VPN is not supported in multiple context mode. This is in software version 8.x I think. Does software version 9.x already supports VPN in multi context mode? If not, what approach would you suggest to address these requirement?
Here's daigram of what im thinking
Your inputs is highly appreciated
Thanks everyone !

One challenge in your scenario is to distribute the traffic to the right context. The internal network sees two gateways to the outside world and has to use the right gateway. In Active/Active that is not as easy as with Active/Standby.
the ASA9 supports VPN in A/A, but only site-to-site, no remote access.
Most of your requirements are possible with A/S which is much easier to implement. Only the part "some traffic to backup" is problematic if that is not based on the destination-address as the ASA doesn't have policy based routing.
Sent from Cisco Technical Support iPad App

Similar Messages

ASA 5520 VPN load balancing with Active/Standby failover on 2 devices only...

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
This topic has been beat to death, but I did not see a real answer. Here is configuration:
1) 2 x ASA 5520, running 8.2
2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces
3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration.
4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?
This sounds trivial, but I cannot find a clear answer (without testing this); and many people are confusing the issue. Here are some examples of confusion. These do not apply to my scenario.
Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not
The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?
In any case, any experts out there that can answer question? TIA!

Wow, some good info posted here (both questions and some answers). I'm in a similar situation with a couple of vpn load-balanced pairs... my goal was to get active-standby failover up and running in each pair- then I ran into this thread and saw the first post about the unique IP addr pools (and obviously we can't have unique pools in an active-standby failover rig where the complete config is replicated). So it would seem that these two features are indeed mutually exclusive. Real nice initial post to call this out.
Now I'm wondering if the ASA could actually handle a single addr pool in an active-standby fo rig- *if* the code supported the exchange of addr pool status between the fo members (so they each would know what addrs have been farmed out from this single pool)? Can I get some feedback from folks on this? If this is viable, then I suppose we could submit a feature request to Cisco... not that this would necessarily be supported anytime soon, but it might be worth a try. And I'm also assuming we might need a vip on the inside int as well (not just on the outside), to properly flip the traffic on both sides if the failover occurs (note we're not currently doing this).
Finally, if a member fails in a std load-balanced vpn pair (w/o fo disabled), the remaining member must take over traffic hitting the vip addr (full time)... can someone tell me how this works? And when this pair is working normally (with both members up), do the two systems coordinate who owns the vip at any time to load-balance the traffic? Is this basically how their load-balancing scheme works?
Anyway, pretty cool thread... would really appreciate it if folks could give some feedback on some of the above.
Thanks much,
Mike

Cisco asa security context active/active failover

Hi,
I have two Cisco ASA 5515-X appliance running OS version 8.6. I want to configure these two appliance in multiple context mode mode.
Each ASA appliance will have two security context named "ctx1" & "ctx2".
I have to configure failover on these two ASA appliance such that "ctx1" will be active in one ASA box and "ctx2" will be active and process the traffic on second box to achieve this i will configure two failover group 1 & 2. And assign "ctx1" interfaces in failover group 1 and "ctx2" interface to group 2.
I am a reading a book on failover configuration in active/active in that below note is mentioned.
If an interface is used as the shared interface between multiple contexts, then all of those contexts need to be in the same failover redundancy group.
What this means? can someone please explain because i also want to use a shared interface which will be used by "ctx1" & "ctx2". In this case shared interface can be used in failover group 1 & 2 ?
Regards,
Nick

Yout will have to contact [email protected] or open a TAC case in order to have a new activation key generated. They can do that once they confirm your eligibility.

ASA active/active failover back to back

Hi,
      for HA I want to connect 4 ASA's in active/active failover with each ASA having two contexts.
The reason I need this is to separate two domains. Each domain has the ASA pair in active/active failover.
Is this possible and what would you need to do it ie a switch or two in between ?
I know you need switches or vlans to do the LAN side as the failover context needs to be in the same network. So I'm assuming you would need to do something similar between the 4 ASA's ???
Would you put 2 switches trunked together carrying two vlans, one for each context ?
          -| CTX1 |-          ?         -| CTX1 |-
          -| CTX2 |-          ?         -| CTX2 |-
               | |                                | |
          -| CTX1 |-          ?         -| CTX1 |-
          -| CTX2 |-          ?     -| CTX2 |-
Thanks in advance.

Your latest attachment is pretty close to what I was thinking.
I would add a second interface on each ASA to the switches.
So (considering the "Inside" interfaces of ASA1 for example) it would have one physical interface allocated to context 1 and connected to a port in VLAN2 and a second physical interface allocated to context 2 and connected to a port in VLAN 3.
An alternative would be to stick with a single physical interface and allocate subinterfaces (on a trunk) to each context.
You could further add redundancy by creating Etherchannels (with either the physical or logical interface approach).

Hello my name is jose quant, and let me know how I can use CAMERA RAW adobe bridge because the bridge use and want to open a camera raw image, I get a message that says: MAIN BRIDGE aplicaion NOT ACTIVATED. BRIDGE REQUIRES A PARTICULAR PRODUCT HAS BEGUN A

Hello my name is jose quant, and let me know how I can use CAMERA RAW adobe bridge because the bridge use and want to open a camera raw image, I get a message that says: MAIN BRIDGE aplicaion NOT ACTIVATED. BRIDGE REQUIRES A PARTICULAR PRODUCT HAS BEGUN AT LEAST ONCE TO ACTIVATE THIS FEATURE. I wonder what that means?
I use a lapto (windows 7) 64-Bit operating system.
Thank you,
my email is: [email protected], if you send me the answer to my query

You need to activate Photoshop.
Mylenium

ASA 5520 Anyconnect License on Active/Standby Failover pair

Hi
Our customer has purchased 2 x L-ASA-AC-E-5520= Anyconnect Essentials VPN Licenses (750 Users)
Ive installed both activated licenses as per the cisco guides, I didnt get any errors on the install. I did a reload on both, they are both back up and running as active/standby but when I do a sh ver the license still shows "ASA 5520 VPN Plus License"
Am I being dumb and has this worked successfully or should it not now display Anyconnect when I do a sh ver
Any help would be much appreciated on this one please
Regards
Graham

Thanks Marvin
Below is the show ver, but I was kind of expecting there to be a mention of Anyconnect if I had activated the license
We previously had the VPN Plus License, and it still shows VPN Plus
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs               : 150
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                     : Enabled
VPN-3DES-AES                 : Enabled
Security Contexts           : 2
GTP/GPRS                     : Disabled
VPN Peers                   : 750
WebVPN Peers                 : 2
AnyConnect for Mobile       : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions           : 2
This platform has an ASA 5520 VPN Plus license.

Cisco ASA Active standby failover problem

We have configured ASA Active standby failover with ASA5505 . When primary unit power off, secondary unit became active. when primary unit power on, then primary unit is becoming active again. i think for active standby setup there is no preemption. The real issue is when primary ASA became active after power on all the external connectivity getting down. Please see the below config,
ASA01# show run
ASA01# show running-config
: Saved
ASA Version 8.2(5)
hostname ASA01
enable password PVSASRJovmamnVkD encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.1 MPLS_Router description MPLS_Router
name 192.168.2.1 SCADA_Router description SCADA_Router
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 2
interface Ethernet0/3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.8 255.255.255.0 standby 192.168.3.9
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.8 255.255.255.0 standby 192.168.1.9
interface Vlan3
description LAN Failover Interface
ftp mode passive
clock timezone AST 3
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any host MPLS_Router
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
failover
failover lan unit primary
failover lan interface FAILOVER Vlan3
failover key *****
failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route-map Route_Out permit 1
match ip address inside_access_in outside_access_in
match interface inside
route outside 0.0.0.0 0.0.0.0 MPLS_Router 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
http authentication-certificate inside
http authentication-certificate outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password eY/fQXw7Ure8Qrz7 encrypted
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1a8e46a787aa78502ffd881ab62d1c31
: end

I suggest removing the failover configuration on both units and then re-add them, and then test.
Primary
failover lan interface FAILOVER Vlan3
failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
failover lan unit primary
failover key KEY
failover
Secondary
failover lan interface FAILOVER Vlan3
failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
failover lan unit secondary
failover key KEY
failover
Please remember to select a correct answer and rate helpful posts

Best practice for ASA Active/Standby failover

Hi,
I have configured a pair of Cisco ASA in Active/ Standby mode (see attached). What can be done to allow traffic to go from R1 to R2 via ASA2 when ASA1 inside or outside interface is down?
Currently this happens only when ASA1 is down (shutdown). Is there any recommended best practice for such network redundancy? Thanks in advanced!

Hi Vibhor,
I test ping from R1 to R2 and ping drop when I shutdown either inside (g1) or outside (g0) interface of the Active ASA. Below is the ASA 'show' failover' and 'show run',
ASSA1# conf t
ASSA1(config)# int g1
ASSA1(config-if)# shut
ASSA1(config-if)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 14:20:00 SGT Nov 18 2014
This host: Primary - Active
Active time: 7862 (sec)
Interface outside (100.100.100.1): Normal (Monitored)
Interface inside (192.168.1.1): Link Down (Monitored)
Interface mgmt (10.101.50.100): Normal (Waiting)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
Interface outside (100.100.100.2): Normal (Monitored)
Interface inside (192.168.1.2): Link Down (Monitored)
Interface mgmt (0.0.0.0): Normal (Waiting)
Stateful Failover Logical Update Statistics
Link : FAILOVER GigabitEthernet2 (up)
Stateful Obj xmit xerr rcv rerr
General 1053 0 1045 0
sys cmd 1045 0 1045 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 2 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 5 0 0 0
User-Identity 1 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 9 1045
Xmit Q: 0 30 10226
ASSA1(config-if)#
ASSA1# sh run
: Saved
ASA Version 8.4(2)
hostname ASSA1
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0
nameif outside
security-level 0
ip address 100.100.100.1 255.255.255.0 standby 100.100.100.2
ospf message-digest-key 20 md5 *****
ospf authentication message-digest
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
ospf message-digest-key 20 md5 *****
ospf authentication message-digest
interface GigabitEthernet2
description LAN/STATE Failover Interface
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet4
nameif mgmt
security-level 0
ip address 10.101.50.100 255.255.255.0
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
ftp mode passive
clock timezone SGT 8
access-list OUTSIDE_ACCESS_IN extended permit icmp any any
pager lines 24
logging timestamp
logging console debugging
logging monitor debugging
mtu outside 1500
mtu inside 1500
mtu mgmt 1500
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet2
failover link FAILOVER GigabitEthernet2
failover interface ip FAILOVER 192.168.99.1 255.255.255.0 standby 192.168.99.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
access-group OUTSIDE_ACCESS_IN in interface outside
router ospf 10
network 100.100.100.0 255.255.255.0 area 1
network 192.168.1.0 255.255.255.0 area 0
area 0 authentication message-digest
area 1 authentication message-digest
log-adj-changes
default-information originate always
route outside 0.0.0.0 0.0.0.0 100.100.100.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.101.50.0 255.255.255.0 mgmt
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 10.101.50.0 255.255.255.0 mgmt
ssh timeout 5
console timeout 0
tls-proxy maximum-session 10000
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:fafd8a885033aeac12a2f682260f57e9
: end
ASSA1#

ASA Active/Active Failover with Redundant Guest Anchors

Does anyone know how an ASA and a guest anchor 5508 will interact if I setup an Active/Active failover pair with physical interface redundancy? I see from documentation that I can create a logical group in the ASA to bond physical interfaces together, but it doesn't describe what protocol is being used to manage that bundle. Do I assume etherchannel? If I were to create this scenario, can I run the 5508 in LAG mode?
The current failover configuration example is for PIX, and old code at that. I'm referencing an ASA/PIX guide ISBN:1-58705-819-7 beginning on page 531.
Regards,
Scott

In addition to what you have, you should add to each unit the global configuration command "failover".
We generally don't manually configure the MAC addresses in single context mode since the ASA ill automatically assign virtual MAC addresses and manage their moving to the newly active unit in the event of a failover event. Reference.

Radius auth to standby ASA in Active Active Failover

Hi Everyone,
When ASA is in Active/standby failover i can ssh to standby ASA using Radius.
But when ASA is in multi context mode Active/Active failover i can not do Radius Auth to standby ASA?
Is this default behaviour?
Regards
MAhesh

I would not have thought this is the default behavior...but then again, I have never tested this. If you console into the standby context issue the command show run | in aaa. Which authentication database is indicated?
Please remember to select a correct answer and rate helpful posts

ASA CX / PRSM Active/Active Failover?

Hi everyone.
I've spent my last 2 days trying to find something on this matter, but I can't find anything conclusive about it.
I'm trying to find if a 2 ASAs+CX in Active/Active configuration is supported and how to do it.
On one side, on the PRSM configuration guide for 9.2, it says "Active-Standby is the only supported high availability configuration", but I don't understand if it's just for adding devices to PRSM or that an Active/Active configuration is not supported by the CX module.
On the other hand, this forum discussion says that they are using Active/Active with CX.
So, I need to know if it will work. I know that if I use Active/Active I should use contexts, which some are Active on one ASA and others are active on the other one. I would assume that the CX module configuration should be the same for both ASAs as to support all the networks policies, but I want to know if this will work (I don't want to tell the customer that it'll work and then be stuck with an unsupported and non-working configuration).
Any advice on this? Guides maybe?
Thanks in advance.

Yes, it can be done. Off-box PRSM manages an ASA context like a "separate" ASA. That's when it's managing the ASA configuration itself - distinct from managing the CX module features.
Note however that there is an unresolved bug with CX modules and HA ASA pairs: https://tools.cisco.com/bugsearch/bug/CSCud54665
The other thing to remember - as you had alluded to - is that the CX configuration is a common one despite there being multiple contexts (with potentially differing security policies with respect to the web filtering and IPS functions they want from the CX) on the box.

Active/Standby Failover with pair of 5510s and redundant L2 links

Hi
I just got two ASA5510-SEC-BUN-K9 and I'm wondering is it possible to implement an Active/Standby Failover configuration (Routed mode) with two ASA5510 and redundant pair of switches from both inside and outside interfaces? In other words, I would like to have two L2 links from each ASA (in pair od ASAa) to each L2 switch (in pair of redundant L2 Switches). The configuration I would like to achive is just like one in Cisco Security Appliance Command Line Configuration Guide, page B-23, figure B-8, with only difference that I wouldn't go with multiple security contexts (I want Active/Standby failover).
Thanks in advance
Zoran Milenkovic

Hello Zoran,
Absolutely. You can have 2 ASAs configured in Active/Standby mode. For reference, here is a link which has a network connectivity diagram based on PIX, however, connectivity would still be same with ASAs-
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/failover.html#wp1053462
The difference is that on ASA, you can only have LAN-Based failover, hence you'll need to use one additional interface on both ASAs for failover-link. You can connect these two failover-link interfaces directly using a cross cable.
Apart from this, please refer to following link on how to go with configuration of Lan-based Active/Standby failover-
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1064158
Also make sure that both ASAs have required hardware/software/license based on following link-
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1047269
Hope this helps.
Regards,
Vibhor.

Asa in active/active vpn solution licensing question

Hello All
I have a customer with the following requirements:
1) A Cisco VPN Solution that will be support SSL VPN and Cisco Client VPN - The solution will be a failover configuration running in an active-active set up. The solution offered will be fully supported (i.e. it will not go into End of Life or and lower level of support etc) by Cisco for the next 5 Years.
a. We would expect the devices to be similar to the ASA 5520 Appliance with SW,HA,$GE+1FE,£DES/AES (Including ASA 5500 Advanced Endpoint ASS)
2) User licenses for the above - Please quote for both the following
a. 500 appropriate SSL VPN User Licenses
b. 250 appropriate SSL VPN User Licenses
I am quoting them for the 500 ssl vpn bundle
ASA5520-SSL500-K9 and for the
ASA5520-BUN-K9.
Is it right that in active/active software 8.3 and above that the 500 ssl vpn licenses will be shared between the 2 asa's or will I need to have 250 licenses on each asa.
Also I have read that in active/active I cannot use shared licenses, is this relevant in a vpn solution?
http://www.cisco.com/en/US/docs/security/asa/asa84/license/license_management/license_86.html#wp2003381
Url above has this “The backup server mechanism is separate from, but compatible with, failover.
Shared licenses are supported only in single context mode, so Active/Active failover is not supported.”
Also “Failover Guidelines
•Shared licenses are not supported in Active/Active mode. See the "Failover and Shared Licenses" section for more information.
I also need to purchase the
ASA-ADV-END-SEC and
ASA-AC-M-5520 (any connect mobile) as the vpn client is eos/eol.
Do I need to buy this for both asa's or can they share them in active/active mode.
Thanks in advance.
Feisal

Hi Vibhor and thanks for the quick reply. We will be using version 9.3. I was aware that the ASA does not support PBR but I thought with the new code you could do some policy nat that could help influence the outbound flow?
So in this case we have 2x ISPs and 2x public address space, one from each ISP. How is the NAT and routing handled by the ASA in this design?
Can I not identify the guest subnet (192.168.0.0/22) and NAT this to a public address from ISP1 and also identify the corp subnets (10.x.x.x) and NAT them to ISP2?
My understanding (which is probably wrong) is that the NAT will select the egress interface rather than the routing table, so guest will be sent via ISP1 since the SVI interface of the ASA that connects to this ISP1 has an IP address from the same public address space..?
Is that incorrect?
Many thanks
Rays

To apply license in FWSM (Active-Active mode) and disable failover

Dear Team
I want to apply license to increase security context in FWSM which is running in Active-Active mode on VSS Core switches
As per below document, first we need to disable failover by entering 'no failover' command on active FWSM and then apply the license seperately on both FWSM.
I just want to know when i will disable the failover then standby move to pseudo-standby state.
Will there be any services impact which are running behind the FWSM when disbaling the failover and then re-enabling the failover.
http://www.cisco.com/c/en/us/td/docs/security/fwsm/fwsm40/configuration/guide/fwsm_cfg/swcnfg_f.html#wp1073226
Appreciate your response.

Hi,
I think in your case as it is Active/Active , there is one extra step required.
You need to make all the contexts active on one unit and on the other one all should be standby.
Then disable the failover and update the license and re-enable the failover.
Thanks and Regards,
Vibhor Amrodia

Failover Under ASDM shows Active/Active

Hi everyone,
ASA is config for failover which is Active /standby.Command line shows failover as active and standby.
But under ASDM,Licensing ,Activation key it show as
Failover
Active/Active
Is this by design that it show as active/active?
Regards
Mahesh

Hi Mahesh,
I think it means that the ASA is licensed to be able to support Active/Active while you have actually set up the ASAs to do Active/Standby
To my understanding for example the ASA5505 model could only support Active/Standby Failover since it doesnt Security Contexts as those are required for an Active/Active setup.
- Jouni

ASA Expert Wanted | Active Active Failover Requirment

Similar Messages

Maybe you are looking for