Cisco ASA Active/ Active

Similar Messages

• Single AIP-SSM in Cisco ASA Failover Active / Standby Mode

  Hi,
  I can add single AIP-SSM on Cisco ASA in failover active / standby mode?

  No, both units need the same hardware, that includes the installed modules.
  Sent from Cisco Technical Support iPad App

• IPS modules in Cisco ASA 5510 Active/Standby pair.

  All, I am looking to add the IPS module to my ASA 5510's. I am contemplating only purchasing one module and placing it in the active ASA. I am willing to accept that in a failure scenario I will loose the IPS functionality until the primary ASA is recovered. I have not had a chance to talk to my SE to see if this is even possible. Has anyone attempted a deployment such as this? Will it work and is it supported?
  Sent from Cisco Technical Support iPad App

  Ok, that is what I needed to know.  The purpose of us having an active/standby ASA is to keep the business up and going for the very rare times there could be an active ASA failure.  The purpose for the IPS would be to help protect and inspect traffic and is not necessary to keep the business running.  If we implement IPS I am not worried at all if during the times when the primary ASA is down (hasn't been down for over three years now) we lose the IPS funcationality.  This is not worth the $1000 extra per year to us.
  Thanks for the responses though.  That answers my questions.

• Cisco ASA Active standby failover problem

  We have configured ASA Active standby failover with ASA5505 . When primary unit power off, secondary unit became active. when primary unit power on, then primary unit is becoming active again. i think for active standby setup there is no preemption. The real issue is when primary ASA became active after power on all the external connectivity getting down. Please see the below config,
  ASA01# show run
  ASA01# show running-config 
  : Saved
  ASA Version 8.2(5) 
  hostname ASA01
  enable password PVSASRJovmamnVkD encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 192.168.1.1 MPLS_Router description MPLS_Router 
  name 192.168.2.1 SCADA_Router description SCADA_Router
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
   switchport access vlan 2
  interface Ethernet0/3
  interface Ethernet0/4
   switchport access vlan 3
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.3.8 255.255.255.0 standby 192.168.3.9 
  interface Vlan2
   nameif outside
   security-level 0
   ip address 192.168.1.8 255.255.255.0 standby 192.168.1.9 
  interface Vlan3
   description LAN Failover Interface
  ftp mode passive
  clock timezone AST 3
  access-list inside_access_in extended permit icmp any any 
  access-list inside_access_in extended permit ip any any 
  access-list inside_access_in extended permit ip any host MPLS_Router 
  access-list outside_access_in extended permit icmp any any 
  access-list outside_access_in extended permit ip any any 
  access-list outside_access_in extended permit ip any 192.168.2.0 255.255.255.0 
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  failover
  failover lan unit primary
  failover lan interface FAILOVER Vlan3
  failover key *****
  failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route-map Route_Out permit 1
   match ip address inside_access_in outside_access_in
   match interface inside
  route outside 0.0.0.0 0.0.0.0 MPLS_Router 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.2.0 255.255.255.0 inside
  http authentication-certificate inside
  http authentication-certificate outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet 192.168.2.0 255.255.255.0 inside
  telnet 192.168.1.0 255.255.255.0 outside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username admin password eY/fQXw7Ure8Qrz7 encrypted
  prompt hostname context 
  no call-home reporting anonymous
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:1a8e46a787aa78502ffd881ab62d1c31
  : end

  I suggest removing the failover configuration on both units and then re-add them, and then test.
  Primary
  failover lan interface FAILOVER Vlan3
  failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
  failover lan unit primary
  failover key KEY
  failover
  Secondary
  failover lan interface FAILOVER Vlan3
  failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
  failover lan unit secondary
  failover key KEY
  failover
  Please remember to select a correct answer and rate helpful posts

• Cisco asa security context active/active failover

  Hi,                  
  I have two Cisco ASA 5515-X appliance running OS version 8.6. I want to configure these two appliance in multiple context mode mode.
  Each ASA appliance will have two security context named "ctx1" & "ctx2".
  I have to configure failover on these two ASA appliance such that "ctx1" will be active in one ASA box and "ctx2" will be active and process the traffic on second box to achieve this i will configure two failover group 1 & 2. And assign "ctx1" interfaces in failover group 1 and "ctx2" interface to group 2.
  I am a reading a book on failover configuration in active/active in that below note is mentioned.
  If an interface is used as the shared interface between multiple contexts, then all of those contexts need to be in the same failover redundancy group.
  What this means? can someone please explain because i also want to use a shared interface which will be used by "ctx1" & "ctx2". In this case shared interface can be used in failover group 1 & 2 ?
  Regards,
  Nick

  Yout will have to contact [email protected] or open a TAC case in order to have a new activation key generated. They can do that once they confirm your eligibility.

• Asa in active/active vpn solution licensing question

  Hello All
  I have a customer with the following requirements:
  1) A Cisco VPN Solution that will be support SSL VPN and Cisco Client VPN - The  solution will be a failover configuration running in an active-active set up.  The solution offered will be fully supported (i.e. it will not go into End of  Life or and lower level of support etc) by Cisco for the next 5 Years.
  a. We  would expect the devices to be similar to the ASA 5520 Appliance with  SW,HA,$GE+1FE,£DES/AES (Including ASA 5500 Advanced Endpoint ASS)
  2) User  licenses for the above - Please quote for both the following
  a. 500 appropriate SSL VPN User Licenses
  b. 250  appropriate SSL VPN User Licenses
  I am quoting them for the 500 ssl vpn bundle
  ASA5520-SSL500-K9 and for the
  ASA5520-BUN-K9.
  Is it right that in active/active  software 8.3 and above that the 500 ssl vpn licenses will be shared between the 2 asa's or will I need to have 250 licenses on each asa.
  Also I have read that in active/active I cannot use shared licenses, is this relevant in a vpn solution?
  http://www.cisco.com/en/US/docs/security/asa/asa84/license/license_management/license_86.html#wp2003381
  Url above has this “The  backup server mechanism is separate from, but compatible with,  failover.
  Shared  licenses are supported only in single context mode, so Active/Active failover is  not supported.”
  Also “Failover  Guidelines
  •Shared licenses are not supported in Active/Active mode. See the "Failover  and Shared Licenses" section for more  information.
  I also need to purchase the
  ASA-ADV-END-SEC and
  ASA-AC-M-5520 (any connect mobile) as the vpn client is eos/eol.
  Do I need to buy this for both asa's or can they share them in active/active mode.
  Thanks in advance.
  Feisal

  Hi Vibhor and thanks for the quick reply. We will be using version 9.3. I was aware that the ASA does not support PBR but I thought with the new code you could do some policy nat that could help influence the outbound flow?
  So in this case we have 2x ISPs and 2x public address space, one from each ISP. How is the NAT and routing handled by the ASA in this design?
  Can I not identify the guest subnet (192.168.0.0/22) and NAT this to a public address from ISP1 and also identify the corp subnets (10.x.x.x)  and NAT them to ISP2?
  My understanding (which is probably wrong) is that the NAT will select the egress interface rather than the routing table, so guest will be sent via ISP1 since the SVI interface of the ASA that connects to this ISP1 has an IP address from the same public address space..?
  Is that incorrect?
  Many thanks
  Rays

• ASA 5520 Activation Key Help

  Hi All,
  we recently installed a activaiton key for the Anyconnect License on our ASA 5520. We have a pair runnning, in Active/Standby mode, on IOS 8.0. The Activation/License was installed on the Primary ASA. Once installed the all failover configuration was removed, and we were left with 2 ASAs running in Active/Active mode. This cause haoc across the network. I would like to go back and recover and reinstall the old activation key. Is this possible?? If so how would I be able to achieve this. Or do I need to ontain a new license key. Ultimately I would like to get back to the stage before instlaling the Anyconnect License, where we had a 2 ASAs running in Active/Standby mode.
  Thank you for your help and suggestions.
  Cheers
  Deena
  oput put from sh activation-key detail and sh version
  CH-ASA# sh act det
  Serial Number:  JMX1101K2SU
  Permanent Flash Activation Key: 0x370fc559 0x2476a024 0xccc355a4 0xacd81440 0x4110329d
  Licensed features for this platform:
  Maximum Physical Interfaces  : Unlimited
  Maximum VLANs                : 150
  Inside Hosts                 : Unlimited
  Failover                     : Active/Active
  VPN-DES                      : Enabled
  VPN-3DES-AES                 : Enabled
  Security Contexts            : 2
  GTP/GPRS                     : Disabled
  VPN Peers                    : 750
  WebVPN Peers                 : 2
  AnyConnect for Mobile        : Disabled
  AnyConnect for Linksys phone : Disabled
  Advanced Endpoint Assessment : Disabled
  UC Proxy Sessions            : 2
  Temporary Flash Activation Key: 0x29249e66 0x500f33dc 0xcd79274e 0x534c7c93 0x81bc53bc
  Licensed features for this platform:
  Maximum Physical Interfaces  : Unlimited
  Maximum VLANs                : 150
  Inside Hosts                 : Unlimited
  Failover                     : Active/Active
  VPN-DES                      : Enabled
  VPN-3DES-AES                 : Disabled
  Security Contexts            : 2
  GTP/GPRS                     : Disabled
  VPN Peers                    : 750
  WebVPN Peers                 : 750
  AnyConnect for Mobile        : Disabled
  AnyConnect for Linksys phone : Disabled
  Advanced Endpoint Assessment : Disabled
  UC Proxy Sessions            : 2
  This is a time-based license that will expire in 27 day(s).
  Running Activation Key: 0x29249e66 0x500f33dc 0xcd79274e 0x534c7c93 0x81bc53bc
  Licensed features for this platform:
  Maximum Physical Interfaces  : Unlimited
  Maximum VLANs                : 150
  Inside Hosts                 : Unlimited
  Failover                     : Active/Active
  VPN-DES                      : Enabled
  VPN-3DES-AES                 : Enabled
  Security Contexts            : 2
  GTP/GPRS                     : Disabled
  VPN Peers                    : 750
  WebVPN Peers                 : 750
  AnyConnect for Mobile        : Disabled
  AnyConnect for Linksys phone : Disabled
  Advanced Endpoint Assessment : Disabled
  UC Proxy Sessions            : 2
  This platform has an ASA 5520 VPN Plus license.
  This is a time-based license that will expire in 27 day(s).
  The flash activation key is the SAME as the running key.
  CH-ASA# sh ver
  Cisco Adaptive Security Appliance Software Version 8.0(5)
  Device Manager Version 6.2(5)53
  Compiled on Mon 02-Nov-09 21:22 by builders
  System image file is "disk0:/asa805-k8.bin"
  Config file at boot was "startup-config"
  CH-ASA up 18 hours 30 mins
  Hardware:   ASA5520-K8, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
  Internal ATA Compact Flash, 256MB
  BIOS Flash AT49LW080 @ 0xffe00000, 1024KB
  Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                               Boot microcode   : CN1000-MC-BOOT-2.00
                               SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                               IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05
  0: Ext: GigabitEthernet0/0  : address is 0019.0665.6dfc, irq 9
  1: Ext: GigabitEthernet0/1  : address is 0019.0665.6dfd, irq 9
  2: Ext: GigabitEthernet0/2  : address is 0019.0665.6dfe, irq 9
  3: Ext: GigabitEthernet0/3  : address is 0019.0665.6dff, irq 9
  4: Ext: Management0/0       : address is 0019.0665.6dfb, irq 11
  5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11
  6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
  Licensed features for this platform:
  Maximum Physical Interfaces  : Unlimited
  Maximum VLANs                : 150
  Inside Hosts                 : Unlimited
  Failover                     : Active/Active
  VPN-DES                      : Enabled
  VPN-3DES-AES                 : Enabled
  Security Contexts            : 2
  GTP/GPRS                     : Disabled
  VPN Peers                    : 750
  WebVPN Peers                 : 750
  AnyConnect for Mobile        : Disabled
  AnyConnect for Linksys phone : Disabled
  Advanced Endpoint Assessment : Disabled
  UC Proxy Sessions            : 2
  This platform has an ASA 5520 VPN Plus license.
  This is a time-based license that will expire in 27 day(s).
  Serial Number: JMX1101K2SU
  Running Activation Key: 0x29249e66 0x500f33dc 0xcd79274e 0x534c7c93 0x81bc53bc
  Configuration register is 0x1
  Configuration has not been modified since last system restart.
  CH-ASA#

  If you upgrade your ASA software to a bit more recent image first you can share the AnyConnect license (activation key) across both devices. Otherwise you would need to install a separate activation key on the second unit.
  Sent from Cisco Technical Support iPad App

• Asa active/active questions

  if i have asa's configured as active/active;
  1. Is this situation treated as one? I mean can i manage this only with IDM?
  2. The 5520 can have 130,000 connections. If i am using 2 of this which is config active/active, can i say that am having 130,000X2=260,000 connections?
  thanks.

  1. In ASA, Active/Active can only be acrhived when both ASA is in Multiple Context Mode (Security Context). Multiple Context logically divides the ASA into multiple virtual firewall. You can refer to following configuration example.
  http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008063b316.html#wp1035787
  In your case, you need to create 2 context in each ASA, say Context-A and Context-B. In ASA-1, it should be active for Context-A and standby for Context-B. While in ASA-2, it should be standby in Context-A and active for Context-B. You should be have seperate set of configuration for each Context.
  To manage the configuration, you can use ASDM.
  2. I am sorry, I don't know that

• ASA Active/Active Configuration

  Dear All,
  In configuring Active/Active mode of ASA, most examples are stating using
  2 customers for Active/Active. If I only get 1 customer with 4 interfaces as
  following:
  1) Outside
  2) Inside
  3) DMZ
  4) VPN
  Can I still use the Active/Active mode?
  If so, then how to allocate the interfaces to the 2 failover groups? Let
  assume:
  Failover group 1: Outside and DMZ
  Failover group 2: VPN and Inside
  That means ASA_A is primary of Group1, while ASA_B is primary of Group2. If
  so, is the traffic between Outside and Inside has problem? Since they are
  crossing the 2 failover group on the 2 ASA.
  Please correct me and my assumption. A sample configuration would be much appreciate.
  Thanks in advance.
  Br,
  Sam

  Thank you for the reply Jennifer.
  I was reffering to the following document:
  http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1091405
  Failure Event
  Policy
  Active Action
  Standby Action
  Notes
  Failover link failed during operation
  No failover
  Mark failover interface as failed
  Mark failover interface as failed
  You should restore the failover link as soon as possible because the unit cannot fail over to the standby unit while the failover link is down.
  Stateful Failover link failed
  No failover
  No action
  No action
  State information becomes out of date, and sessions are terminated if a failover occurs.
  I think I should rephrase question 2) If I have two seperate links for Failover and Stateful failover, will that fix my problem?
  How can I configure seperate Failover and Stateful failover links? If I understand correctly, they are more than just redundant links.
  Sorry I didn't accurately phrase my original post.
  Thank you

• Can two ASA build up a loadbalance such as active/active mode ?

  Hi, Professionals
  I am wondering if two ASA be able to build up a loadbalance such as active/active mode, balance the traffic, ?
  thanks in advance,
  Yang

  Yes, running the ASA's in active/active is so you can load balance traffic. Here's a link with more information.
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
  Hope it helps.

• ASA active active design

  Hi
  I configurate ASA's in active active mode. I create 10 context's in Primary ASA. 5 context are in group1 in ASA1 and 5 conetexts are in group2 in ASA2.
  The problem assign ip address to outside interface of context's.
  I use int gi0/0 and gi0/1 for outside interfaces. 5 contexts are in gi0/0 and 5 contexts are in gi0/1 interface.
  gi0/2-gi0/6 for inside interface.
  I create subinterface in inside interfaces and assign different vlan. In different conetext give different subnet. That is ok.
  The issue is:
  i want to use the same subnet but differen ip for outside interface of context's. is it possible?  I configurate eigrp protocol in Context's.
  Thanks.

  Dears
  i find the documentation
  http://www9.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml#mul
  But this is version 7.x
  Assign the Same IP Address to the Shared Interfaces in the Multiple Context Mode
  Assigning the same IP address to the shared interface is not possible. A shared interface over multiple contexts allows us to simulate virtual firewalls over the same LAN segment. When the same IP address is assigned to the shared interface, for example shared over multiple contexts, it gives an IP address conflict error. The ASA will not allow this configuration because of the ARP issue between the contexts for the same IP address.
  The error is shown here for your reference: ERROR: This address conflicts with another address on net.
  Here is wroten that same ip address but i want to configurate same subnet but different ip address. is it possible?
  i use 9.1 version in ASA's

• ASA Expert Wanted | Active Active Failover Requirment

  Hello Everyone,
  We have two new ASA5515-X and im currently in planning phase of its deployment. Not sure if ASA can support these requirments
  Here’s what we need to have in place
  A. During normal operation, wherein both ASAs and ISPs are operational.
  1. By default all traffic will be routed out through ASA1's interface g1 (outside) and some defined traffic will be routed out through ASA2's interface g2 (backup)
  2. All incoming ISP1 traffic will be handled by ASA1's interface g1
  3. All incoming ISP2 traffic will be handled by ASA2's interface g2
  B. ASA1 failure, ASA2 and both ISPs are operational
  1. By default all traffic will be routed out through ASA2's intergace g1 (outside) and some defined traffic will be routed out through ASA2's interface g2 (backup)
  2. All incoming ISP1 traffic will be handled by ASA2's interface g1
  3. All incoming ISP2 traffic will be handled by ASA2's interface g2
  C. ASA2 failure, ASA1 and both ISPs are operational
  1. By default all traffic will be routed out through ASA1's intergace g1 (outside) and some defined traffic will be routed out through ASA1's interface g2 (backup)
  2. All incoming ISP1 traffic will be handled by ASA1's interface g1
  3. All incoming ISP2 traffic will be handled by ASA1's interface g2
  D. ISP1 failure, both ASAs and ISP2 are operational
  1. All traffic will be handled by ASA2's interface g2 (backup)
  E. ISP2 failure, both ASAs and ISP1 are operational
  1. All traffic will be handled by ASA1's interface g1 (outside)
  F. Item D + ASA2 failure
  1. All traffic will be handled by ASA1's interface g2 (backup)
  G. Item E + ASA1 failure
  1. All traffic will be handled by ASA2's interface g1 (outside)
  Note:
  InterfaceG1 is nameif'ed outside and is connected to ISP1
  InterfaceG2 is nameif'ed backup and is connected to ISP2
  Also, as a follow up, per my initial findings I need to enable multiple context to achieve what us required. But we also need a VPN redundancy and failover. But I red somewhere that VPN is not supported in multiple context mode. This is in software version 8.x I think. Does software version 9.x already supports VPN in multi context mode? If not, what approach would you suggest to address these requirement?
  Here's daigram of what im thinking
  Your inputs is highly appreciated
  Thanks everyone !

  One challenge in your scenario is to distribute the traffic to the right context. The internal network sees two gateways to the outside world and has to use the right gateway. In Active/Active that is not as easy as with Active/Standby.
  the ASA9 supports VPN in A/A, but only site-to-site, no remote access.
  Most of your requirements are possible with A/S which is much easier to implement. Only the part "some traffic to backup" is problematic if that is not based on the destination-address as the ASA doesn't have policy based routing.
  Sent from Cisco Technical Support iPad App

• ASA CX / PRSM Active/Active Failover?

  Hi everyone.
  I've spent my last 2 days trying to find something on this matter, but I can't find anything conclusive about it.
  I'm trying to find if a 2 ASAs+CX in Active/Active configuration is supported and how to do it.
  On one side, on the PRSM configuration guide for 9.2, it says "Active-Standby is the only supported high availability configuration", but I don't understand if it's just for adding devices to PRSM or that an Active/Active configuration is not supported by the CX module.
  On the other hand, this forum discussion says that they are using Active/Active with CX.
  So, I need to know if it will work. I know that if I use Active/Active I should use contexts, which some are Active on one ASA and others are active on the other one.  I would assume that the CX module configuration should be the same for both ASAs as to support all the networks policies, but I want to know if this will work (I don't want to tell the customer that it'll work and then be stuck with an unsupported and non-working configuration).
  Any advice on this? Guides maybe?
  Thanks in advance.

  Yes, it can be done. Off-box PRSM manages an ASA context like a "separate" ASA. That's when it's managing the ASA configuration itself - distinct from managing the CX module features.
  Note however that there is an unresolved bug with CX modules and HA ASA pairs: https://tools.cisco.com/bugsearch/bug/CSCud54665
  The other thing to remember - as you had alluded to - is that the CX configuration is a common one despite there being multiple contexts (with potentially differing security policies with respect to the web filtering and IPS functions they want from the CX) on the box.

• How to do nat at active/active asa

  Hi i want to learn how to do nat(PAT) at active/active asa. i must be write nat command each context or other way which i do not know?
  thanks

  Hi Teymur,
  Configuring NAT on an Active/Active pair is the same as any other multi-context ASA. The NAT commands are configured per-context, so you'll just want to login to the appropriate context to configure the commands.
  In an Active/Active pair, some contexts are Active on one physical unit, while other contexts are Active on the other physical unit, but that's the only difference. You'll want to make sure you always make changes on the Active version of the context.
  Hope that helps.
  -Mike

• ASA Active/Active Failover with Redundant Guest Anchors

  Does anyone know how an ASA and a guest anchor 5508 will interact if I setup an Active/Active failover pair with physical interface redundancy?  I see from documentation that I can create a logical group in the ASA to bond physical interfaces together, but it doesn't describe what protocol is being used to manage that bundle.  Do I assume etherchannel?  If I were to create this scenario, can I run the 5508 in LAG mode?
  The current failover configuration example is for PIX, and old code at that.  I'm referencing an ASA/PIX guide ISBN:1-58705-819-7 beginning on page 531.
  Regards,
  Scott

  In addition to what you have, you should add to each unit the global configuration command "failover".
  We generally don't manually configure the MAC addresses in single context mode since the ASA ill automatically assign virtual MAC addresses and manage their moving to the newly active unit in the event of a failover event. Reference.