https://community.cisco.com/t5/network-security/directaccess-possible-with-multiple-context-mode/m-p/2795426#M175248 <P>Hello,</P> <P>Unfortunately, security context on multiple context mode (or Act/Act pair) is not real virtual machine such as virtual machine on ESXi or VMware Workstation. Security context will be behaving a virtual firewall, but it is not perfect one. So it has some limitations (e.g. VPN, Routing, QoS, etc)</P> <P>Multiple context mode started to support Site-to-site VPN from 9.0. Therefore, RemoteVPN might be supported in the future.., but latest ASA version 9.5 does not support Remote VPN. So the future of the support is unclear.</P> <P>ASA9.5:<BR /><A href="http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/ha-contexts.html#ID-2171-0000015b">http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/ha-contexts.html#ID-2171-0000015b</A><BR />--------------------------------------------------------<BR />Guidelines for Multiple Context Mode<BR /> -- snip --<BR />Unsupported Features<BR />Multiple context mode does not support the following features:<BR /> RIP<BR /> OSPFv3. (OSPFv2 is supported.)<BR /> Multicast routing<BR /> Threat Detection<BR /> Unified Communications<BR /> QoS<BR /> <SPAN style="color: #3366ff;">Remote access VPN. (Site-to-site VPN is supported.) &lt;--- THIS</SPAN><BR />--------------------------------------------------------</P> <P>I think if you will migrates your ASAs to multiple context mode for Act/Act support, as your mentioned, putting another ASA for accepting Remote VPN would be prefered solution.</P> Sat, 07 Nov 2015 17:03:31 GMT Akira Muranaka 2015-11-07T17:03:31Z https://community.cisco.com/t5/network-security/directaccess-possible-with-multiple-context-mode/m-p/2795425#M175246 <P>We have to Cisco ASA's at a customer site. At the moment they are in single context mode (active/passive) and thus used for failover.</P> <P>We want to change this to an active/active configuration but the problem is that we use remote access VPN. We need to find a solution for the VPN limitation&nbsp;before we can implement the active/active configuration. 1 solution is put another firewall in the topology dedicated for the VPN connections.</P> <P>The other possible solution is using DirectAccess within Windows.</P> <P>I would like to know if this&nbsp;is supported&nbsp;when both ASA's are&nbsp;multiple context mode. I cannot find&nbsp;an answer to this&nbsp;anywhere. Also if someone knows this in depth, why is VPN not working in a active/active configuration? I understand the 2 ASA's will behave as one single virtual machine, but what exactly is the reason it doesn't work in multiple context mode? Also <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1761">@cisco</a> when will remote access VPN be supported in multiple context mode?</P> <P>Thanks in advance!</P> Tue, 12 Mar 2019 06:50:20 GMT https://community.cisco.com/t5/network-security/directaccess-possible-with-multiple-context-mode/m-p/2795425#M175246 a.agoudi1 2019-03-12T06:50:20Z https://community.cisco.com/t5/network-security/directaccess-possible-with-multiple-context-mode/m-p/2795426#M175248 <P>Hello,</P> <P>Unfortunately, security context on multiple context mode (or Act/Act pair) is not real virtual machine such as virtual machine on ESXi or VMware Workstation. Security context will be behaving a virtual firewall, but it is not perfect one. So it has some limitations (e.g. VPN, Routing, QoS, etc)</P> <P>Multiple context mode started to support Site-to-site VPN from 9.0. Therefore, RemoteVPN might be supported in the future.., but latest ASA version 9.5 does not support Remote VPN. So the future of the support is unclear.</P> <P>ASA9.5:<BR /><A href="http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/ha-contexts.html#ID-2171-0000015b">http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/ha-contexts.html#ID-2171-0000015b</A><BR />--------------------------------------------------------<BR />Guidelines for Multiple Context Mode<BR /> -- snip --<BR />Unsupported Features<BR />Multiple context mode does not support the following features:<BR /> RIP<BR /> OSPFv3. (OSPFv2 is supported.)<BR /> Multicast routing<BR /> Threat Detection<BR /> Unified Communications<BR /> QoS<BR /> <SPAN style="color: #3366ff;">Remote access VPN. (Site-to-site VPN is supported.) &lt;--- THIS</SPAN><BR />--------------------------------------------------------</P> <P>I think if you will migrates your ASAs to multiple context mode for Act/Act support, as your mentioned, putting another ASA for accepting Remote VPN would be prefered solution.</P> Sat, 07 Nov 2015 17:03:31 GMT https://community.cisco.com/t5/network-security/directaccess-possible-with-multiple-context-mode/m-p/2795426#M175248 Akira Muranaka 2015-11-07T17:03:31Z https://community.cisco.com/t5/network-security/directaccess-possible-with-multiple-context-mode/m-p/2795427#M175250 <P><A href="http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200353-ASA-Multi-Context-Mode-Remote-Access-A.html">Remote access support in 9.5(2)</A></P> <P></P> <P><A href="https://supportforums.cisco.com/discussion/12980056/multi-context-asa-ssl-vpn-question">https://supportforums.cisco.com/discussion/12980056/multi-context-asa-ssl-vpn-question</A></P> Sat, 18 Mar 2017 13:04:18 GMT https://community.cisco.com/t5/network-security/directaccess-possible-with-multiple-context-mode/m-p/2795427#M175250 Peter Koltl 2017-03-18T13:04:18Z