topic Re: ASA Active/Active HA Confusion in Network Security

ASA Active/Active HA Confusion

SIMMN — Wed, 29 May 2019 14:04:30 GMT

Referring to ASA v9.12 CLI Guide here of the Active/Active HA and quoted below:

If you want Active/Active failover, but are otherwise uninterested in multiple contexts, the simplest configuration would be to add one additional context and assign it to failover group 2.

Say I need Active/Active HA with a pair of ASA 5525-X but not plan to do multiple security contexts. I have the admin context as the only security context inspecting and forwarding data. I set the failover group 1 with ASA#1 as the active unit. Following the quoted statement above, I create a dummy context and join it to the failover group 2 with the ASA#2 as the active unit. So now wouldnt ASA#1 is active and ASA#2 is standby for failover group 1 as if it was the active/standby HA? Or I misunderstood it that there is no such concept as the standby anymore with the ASA Active/Active HA in multi-context mode?

Re: ASA Active/Active HA Confusion

GRANT3779 — Wed, 29 May 2019 14:44:31 GMT

I think I understand what you are asking.

In an active/active setup there is still an active/standby situation for each fail over group. The active/active is basically saying both firewalls can pass traffic, but for different fail-over groups at any one time. In a typical active/standby without contexts, one firewall will be passing traffic.

Active/Active does not mean there is no standby as such.

Re: ASA Active/Active HA Confusion

SIMMN — Wed, 29 May 2019 15:34:24 GMT

Thats what I thought but it is not what that quoted paragraph said in my post...

Re: ASA Active/Active HA Confusion

balaji.bandi — Wed, 29 May 2019 19:20:30 GMT

Active / Active is always multi context.

Re: ASA Active/Active HA Confusion

Jon Marshall — Wed, 29 May 2019 20:13:35 GMT

I think the confusion is because active/active cannot work for the same context so if you are just using one context you cannot have active/active failover for it, it is just active/standby.

I agree the paragraph is misleading because it seems to be saying if you don't want multiple contexts here is a way to have active/active failover but it isn't because you have to have multiple contexts.

It is in effect a circular argument and is there because in my opinion active/active is a misleading term, it is really active/standby per context with the ability to have each firewall active for a subset of the contexts.

But that doesn't sound as good in marketing terms 🙂

Jon

Re: ASA Active/Active HA Confusion

SIMMN — Mon, 17 Jun 2019 15:22:01 GMT

we are on the same page...:)