Upgrading ACE , redundant active-active context

Similar Messages

• Cisco asa security context active/active failover

  Hi,                  
  I have two Cisco ASA 5515-X appliance running OS version 8.6. I want to configure these two appliance in multiple context mode mode.
  Each ASA appliance will have two security context named "ctx1" & "ctx2".
  I have to configure failover on these two ASA appliance such that "ctx1" will be active in one ASA box and "ctx2" will be active and process the traffic on second box to achieve this i will configure two failover group 1 & 2. And assign "ctx1" interfaces in failover group 1 and "ctx2" interface to group 2.
  I am a reading a book on failover configuration in active/active in that below note is mentioned.
  If an interface is used as the shared interface between multiple contexts, then all of those contexts need to be in the same failover redundancy group.
  What this means? can someone please explain because i also want to use a shared interface which will be used by "ctx1" & "ctx2". In this case shared interface can be used in failover group 1 & 2 ?
  Regards,
  Nick

  Yout will have to contact [email protected] or open a TAC case in order to have a new activation key generated. They can do that once they confirm your eligibility.

• ASA Active/Active Failover with Redundant Guest Anchors

  Does anyone know how an ASA and a guest anchor 5508 will interact if I setup an Active/Active failover pair with physical interface redundancy?  I see from documentation that I can create a logical group in the ASA to bond physical interfaces together, but it doesn't describe what protocol is being used to manage that bundle.  Do I assume etherchannel?  If I were to create this scenario, can I run the 5508 in LAG mode?
  The current failover configuration example is for PIX, and old code at that.  I'm referencing an ASA/PIX guide ISBN:1-58705-819-7 beginning on page 531.
  Regards,
  Scott

  In addition to what you have, you should add to each unit the global configuration command "failover".
  We generally don't manually configure the MAC addresses in single context mode since the ASA ill automatically assign virtual MAC addresses and manage their moving to the newly active unit in the event of a failover event. Reference.

• ACE 4710 Active/Active using virtual partitions

  Hi
  I am completely new to the Cisco ACE devices but have been asked to look at deploying them.  I have read the ACE virtual partioning paper which covers the ACE module, and it mentions the following;
  "In an active/active high-availability design, both the primary and backup Cisco ACE modules are active simultaneously. The active virtual partitions are distributed across both modules, such that approximately half are active on the primary module and the remaining are active on the backup module."
  My question is - does the same resilience model work the same using the Cisco 4710 appliances?  I.e. can we split virtual partions across two physical devices thereby having an active/active scenario.
  Apologies if this seems a very basic question.
  Cheers
  TS

  Hi Tony
  Yes, you can do the same on Appliance. One point which can be important for A/A implementation is that it's a good practice to have shared-vlan-hostid configured on ACEs.
  Briefly - When ACE boots it randomly picks up a one out of 16 pools of MAC addresses and use them on interfaces. So, if you have contexts which are sharing the same VLAN on different ACEs , there is a possibility that both of ACEs pick up the same pool and you will have duplicated MAC addresses.
  So you should configure something like this in Admin context (only on ACE which has Admin context active, configuration starts working only after reload of both devices) :
  shared-vlan-hostid 1
  peer shared-vlan-hostid 2
  More detailed abou this quesiton you can see here :
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA4_2_0/configuration/administration/guide/redundcy.html#wp1076704

• FWSM OS upgrade in Active/Active mode

                     Hi All,
     Can you please share me the procedure to upgrade FWSM in Active/Active mode with minimum downtime.
  Regards,
  Ajith

  The procedure is documented in the configuration guide here.

• Multiple context mode and Active Active

  Hi Everyone,
  ASA in multiple context  mode works as active active mode.
  ASA has 2 contexts admin and  x.
  We have 2  physical ASA say ASA1 and ASA2 .
  Under system context we have hostname ASA
  When i ssh to ASA1 it brings the ASA/admin mode.
  sh failover shows
  sh failover shows
  This host:    Primary
  This host:    Primary
  When i try to login to ASA 2 it brings me to ASA/x prompt.
  sh failover shows
    This context: Active
  Peer context: Standby Ready
  Need to  know is there any way that i can login to other physical ASA?
  i hope my question makes sense.
  Message was edited by: mahesh parmar

  Hi Mahesh,
  To it seems that you are logging to different contexts in these 2 cases.
  Normally an admin always logs to the "admin" context IP address owned either by the primary IP address for the Active unit or the secondary IP address for the Standby unit.
  So what I would suggest you do first is that you go to the context "admin" and issue the command "show run interface"
  Then go to the context "x" and issue the command "show run interface"
  Now check the IP addresses on the interfaces.
  Especially the interface on the "admin" context should contain an IP address for both of the ASA units. Check the interface IP address which originally lead you to the "admin" context.
  For example
  ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2
  If the above were true you would connecto the IP address 10.10.10.1 when you wanted to connect to the Active unit and use the IP address 10.10.10.2 when you wanted to connect to the current Standby unit
  - Jouni

• Global load balancing/active active vip and virtual interface redundancy

  Is there a way to configure both of these technologies without exposing the external addressing to the internal network? I have active active within the data center and would like to have active/active across two data centers but I don't see any way to use internal addressing for my content rules and still use them for dns unless I can specify records without using content rules. Thanks.
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a008009438a.shtml
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a0080157898.html

  Hi Victor,
  In response to your questions regarding doing Active/Active GSLB using VIP and interface redundancy.
  Rule Based GSLB will not work with VIP/Interface
  redundancy.
  The reason is because the CSS can not set up an app session to a redundant
  interface, it needs to set the app session up to a real interface. Thus, a
  full mess topology must be used for GSLB and vip/interface redudancy.
  Bug ID CSddw27861 reported this problem and engineering added the command
  "ap-kal-vip" to support a full mess topology. This command can only be used
  under zone based GSLB and not rule based.
  The syntax for the command would be:
  dns-record a www.work.com 5.5.5.5 0 single kal-ap-vip 1.1.1.1
  rule/ACL based GSLB with vip/int redundancy will not work.
  Regards,
  Mark

• Strickt redundancy/strickt failover(active/passive) or active/active operation?

    Hi,
  i couldn't find a documentation which states clearly how traffic flows from the mezanina adapter ports to FEX adapters. We have the A side and the B-side. that is for both fabric interconnecto and  FEX adapters. does the B side actively send and recieve traffic(active/active) or is it a redundant setting (replica of side A) waiting idle till something goes wrong with side A (active/passive). if it is active/active, how is loadbalancing algorithem working at server adapter to pick say the B side as opposed to the A-side? please put it clearly. all the discussions i see talk about how traffic is forwarded on the A side and they explain failure scenarios which only makes sense when the B-side is just redundant and standby. please let me know.
  Thanks,
  Kerim

  Hi Abhinav,
  thanks! this made it a bit clearer.you saied both fabrics (A & B) are active/active physically and not logically.let me see if i get this right. for a mac address or veth port which is currentlyt on fabric A to be seen on fabric B, there has to be failure on fabric A and vice versa.
  the other thing i read on a documentation that for every vEth port on FI(fabric Interconnect) A, a replica will be created on FI-B which will be just sitting there waiting for failure on fabric A. is this true? if so is the reverse also true i.e for every active vEth port on FI-B a replica will be created on FI-A waiting for failure on fabric B. what does this say about mac ddress table size about the FI? please let me know.
  thanks,
  Kerim

• Active-Active Failover when different contexts monitor different interfaces

  I'm trying to understand the relationship between failover groups and contexts, however it appears that the configuration is split in an way that I am having trouble understanding.
  The interfaces that you actually monitor are configured PER CONTEXT e.g.
  ciscoasa/ConextA(config)# monitor-interface inside
  But the number of interfaces that need to fail for failover to take place is done PER FAILOVER GROUP e.g.
  ciscoasa(config)# failover group 1
  ciscoasa(config-fover-group)# interface-policy 1
  (from the system context)
  If my laptop could take it, I would spin up a test environment in GNS3, but I think the best way to ask the question is to give an example. What would happen in the following setup:
  OPTION 1
  OPTION 2
  Thanks in advance

  You would never have a scenario where, as you put it, the Admin context would monitor Gi0 and ContextB also monitor Gi0.  This is because you need to assign the interface to a specific context and once it is assigned to one context it can not also be assigned to another...unless you have configured subinterfaces, then those subinterfaces can be split up and assigned to seperate contexts.  But one interface or one subinterface can not be assigned to more than one context.
  Now, if you have failover groups configured and an interface on one failover group dies, then only the context that the interface belongs to will failover to the standby failover group.
  The following is a good article to have a read through on the Active/Active failover functions:
  http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91336-pix-activeactive-config.html
  Please remember to rate and select a correct answer

• ACE Redundancy

  It seems ft groups are the ACE redundancy feature. FT groups are associated with contexts. In turn contexts are associated with slb groups. Does this mean, one must group slb groups into contexts according to failover behavior?
  In other words, how do I relate contexts, ft groups and slb groups? I need some to be Active-Active and some Active-Standby.

  Thanks Gilles,
  Does this not defeat what I understand to be the purpose of contexts, to provide virtual machines for the different business interests to log into?
  Am I to understand also then that the entire context will failover, all the slb groups in it, if the ft heartbeat test does not pass? What about the health probes for slb groups, they are purely to determine if a server is elligible for traffic or not, and cannot assist in failing over a group if necessary?
  The Active-Active is at the customer's request. They would like read requests to go to all servers, in both locations, and write requests to go to only one (Active-Standby).

• CSS 11503 in Active Active mode

  Can we configure CSS 11503 in Active/Active mode, means can multiple context would be configured?
  Thanks & Regards,
  Shahzad.

  Here you go
  Assumptions:
  VIP 10.10.10.100 is Master on the CSS 2 and backup on the CSS1
  VIP 10.10.10.101 is Master on the CSS1 and backup on the CSS1
  Vlan 10 is the Server Vlan (Redundant Interfaces here)
  Vlan 20 is the Client vlan (Redundant Vips here)
  Services for VIP 10.10.10.100 (real server) have default gateway pointing to redundant interface 172.20.40.253
  Services for VIP 10.10.10.101 (real server) have default gateway pointing to redundant interface 172.20.40.254
  CSS #1
  circuit VLAN10
  ip address 172.20.40.1 255.255.255.0
  ip virtual-router 1 priority 101 preempt
  ip virtual-router 2
  ip-redundant-interface 1 172.20.40.253
  ip-redundant-interface 2 172.20.40.254
  Circuit VLAN20
  ip address 10.10.10.1 255.255.255.0
  ip virtual-router 3 priority 101 preempt
  ip virtual-router 4
  ip redundant-vip 3 10.10.10.101
  ip redundant-vip 4 10.10.10.100
  CSS #2
  circuit VLAN10
  ip address 172.20.40.2 255.255.255.0
  ip virtual-router 1
  ip virtual-router 2 priority 101 preempt
  ip-redundant-interface 1 172.20.40.253
  ip-redundant-interface 2 172.20.40.254
  Circuit VLAN20
  ip address 10.10.10.2 255.255.255.0
  ip virtual-router 3
  ip virtual-router 4 priority 101 preempt
  ip redundant-vip 3 10.10.10.101
  ip redundant-vip 4 10.10.10.100
  More details at
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20_v8.10/configuration/redundancy/guide/VIPRedun.html#wp1112245
  Syed Iftekhar Ahmed

• Active-Active firewall, multiple mode can't do file management?

  Hi all
  as above title, found that i can't use ASDM to do file management.
  I get this after i read the configuration documents: Backing Up and Restoring Configurations, Images, and Profiles (Single Mode)
  So in Active-Active it's a multiple mode, can't just simply backup/upgrade it firmware and ASDM?
  You are welcome to share your comment, thanks in advance
  Noel

  Hi,
  Please make sure you are in the system context to take the back up or restore. It only appears in the system context.
  Thanks,
  Varun Rao
  Security Team,
  Cisco TAC

• ASA active/active failover back to back

  Hi,
        for HA  I want to connect 4 ASA's in active/active failover with each ASA having two contexts.
  The reason I need this is to separate two domains. Each domain has the ASA pair in active/active failover.
  Is this possible and what would you need to do it  ie a switch or two in between ?
  I know you need switches or vlans to do the LAN side as the failover context needs to be in the same network. So I'm assuming you would need to do something similar between the 4 ASA's ???
  Would you put 2 switches trunked together carrying two vlans, one for each context ?
            -| CTX1 |-          ?         -| CTX1 |-
            -| CTX2 |-          ?         -| CTX2 |-
                 |  |                                |  |
            -| CTX1 |-          ?         -| CTX1 |-
            -| CTX2 |-          ?         -| CTX2 |-
  Thanks in advance.

  Your latest attachment is pretty close to what I was thinking.
  I would add a second interface on each ASA to the switches.
  So (considering the "Inside" interfaces of ASA1 for example) it would have one physical interface allocated to context 1 and connected to a port in VLAN2 and a second physical interface allocated to context 2 and connected to a port in VLAN 3.
  An alternative would be to stick with a single physical interface and allocate subinterfaces (on a trunk) to each context.
  You could further add redundancy by creating Etherchannels (with either the physical or logical interface approach).

• ASA Expert Wanted | Active Active Failover Requirment

  Hello Everyone,
  We have two new ASA5515-X and im currently in planning phase of its deployment. Not sure if ASA can support these requirments
  Here’s what we need to have in place
  A. During normal operation, wherein both ASAs and ISPs are operational.
  1. By default all traffic will be routed out through ASA1's interface g1 (outside) and some defined traffic will be routed out through ASA2's interface g2 (backup)
  2. All incoming ISP1 traffic will be handled by ASA1's interface g1
  3. All incoming ISP2 traffic will be handled by ASA2's interface g2
  B. ASA1 failure, ASA2 and both ISPs are operational
  1. By default all traffic will be routed out through ASA2's intergace g1 (outside) and some defined traffic will be routed out through ASA2's interface g2 (backup)
  2. All incoming ISP1 traffic will be handled by ASA2's interface g1
  3. All incoming ISP2 traffic will be handled by ASA2's interface g2
  C. ASA2 failure, ASA1 and both ISPs are operational
  1. By default all traffic will be routed out through ASA1's intergace g1 (outside) and some defined traffic will be routed out through ASA1's interface g2 (backup)
  2. All incoming ISP1 traffic will be handled by ASA1's interface g1
  3. All incoming ISP2 traffic will be handled by ASA1's interface g2
  D. ISP1 failure, both ASAs and ISP2 are operational
  1. All traffic will be handled by ASA2's interface g2 (backup)
  E. ISP2 failure, both ASAs and ISP1 are operational
  1. All traffic will be handled by ASA1's interface g1 (outside)
  F. Item D + ASA2 failure
  1. All traffic will be handled by ASA1's interface g2 (backup)
  G. Item E + ASA1 failure
  1. All traffic will be handled by ASA2's interface g1 (outside)
  Note:
  InterfaceG1 is nameif'ed outside and is connected to ISP1
  InterfaceG2 is nameif'ed backup and is connected to ISP2
  Also, as a follow up, per my initial findings I need to enable multiple context to achieve what us required. But we also need a VPN redundancy and failover. But I red somewhere that VPN is not supported in multiple context mode. This is in software version 8.x I think. Does software version 9.x already supports VPN in multi context mode? If not, what approach would you suggest to address these requirement?
  Here's daigram of what im thinking
  Your inputs is highly appreciated
  Thanks everyone !

  One challenge in your scenario is to distribute the traffic to the right context. The internal network sees two gateways to the outside world and has to use the right gateway. In Active/Active that is not as easy as with Active/Standby.
  the ASA9 supports VPN in A/A, but only site-to-site, no remote access.
  Most of your requirements are possible with A/S which is much easier to implement. Only the part "some traffic to backup" is problematic if that is not based on the destination-address as the ASA doesn't have policy based routing.
  Sent from Cisco Technical Support iPad App

• Active/active Fail over monitoring

  Guys,
  I have a small concern for my Active active FO. Below are the details of setup.
  1)- I have two pairs of ASA 5520 each carrying three contexts. (CTXT 1-3 in 1st ASA, CTXT 4-6 in 2nd ASA).
  2)- I have created two fail over group in each ASA for active active FO. FO group 1&2 in primary ASA and 3&4 FO group in 2nd ASA.
  3)- I have assigned two contexts (CTXT1-2) to FO group 1 and rest Context (CTXT-3) to FO group 2 in primary ASA.
  4)- Same in the 2nd ASA.
  My question is
  1)- how can i configure my monitor for fail over.
  2)- Is it based on the Interfaces of Contexts or the no of contexts ?
  Thanks
  swap

  Hi Felipe,
  Yes, it could be the NAT configuration. But I've tried creating a back-up NAT rule before, but that wasn't successful either.
  nat (inside,outside) source static NETWORK_OBJ_10.80.1.0_24 NETWORK_OBJ_10.80.1.0_24 destination static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 no-proxy-arp route-lookup
  nat (inside,outside) source static Branch_Inside Branch_Inside destination static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 no-proxy-arp route-lookup
  nat (inside,outside) source static Branch_Inside Branch_Inside destination static Roswell Roswell no-proxy-arp route-lookup
  object network inside-net
  nat (inside,outside) dynamic interface
  nat (inside,outside) after-auto source dynamic any interface
  access-group outside_access_in_1 in interface outside control-plane
  access-group outside_access_in in interface outside
  access-group outside_access_out out interface outside
  access-group outside_access_ipv6_in in interface outside
  access-group outside_access_ipv6_out out interface outside
  access-group outside_access_in in interface inside
  access-group outside_access_out out interface inside
  access-group outside_access_ipv6_in in interface inside
  access-group outside_access_ipv6_out out interface inside
  access-group outside_p_access_in in interface outside_p
  access-group outside_p_access_out out interface outside_p
  access-group global_access global
  access-group global_access_ipv6 global
  route outside_p 0.0.0.0 0.0.0.0 y.y.y.y 1 track 1
  route outside 0.0.0.0 0.0.0.0 x.x.x.x 255
  Before I was really lookign at the license being Base as I may need to upgrade to Security Plus.