topic In high availability Active-Active or Active-Passive is VPN supp in Network Security

In high availability Active-Active or Active-Passive is VPN supported

Lasandro Lopez — Tue, 12 Mar 2019 01:13:32 GMT

My question is as simple as the title!
Let me know.
Regards!

In high availability Active-Active or Active-Passive is VPN supp

oamarneh — Wed, 13 Mar 2013 10:32:33 GMT

with active-standby setup, yes ALL vpn types are supported. however, with Active-Active, you must have your ASA in multiple-context mode, VPN is not supported with multi context mode, however, starting ASA version 9.0, only Site to Site VPN is supported with multi-context mode.

In high availability Active-Active or Active-Passive is VPN supp

Marcin Latosiewicz — Wed, 13 Mar 2013 10:32:43 GMT

As of ASA 9.0 you can have static l2l VPN in multicontext-mode.

In single context we've been supporting different VPNs for years.

In high availability Active-Active or Active-Passive is VPN supp

david.tran — Wed, 13 Mar 2013 11:39:31 GMT

does it mean that you still have separate HSRP group for l2l vpn in Active/Active? In other words, traffics from the same source going to the same destination will traverse only one ASA and that the other ASA will serve as standby?

In high availability Active-Active or Active-Passive is VPN supp

oamarneh — Wed, 13 Mar 2013 12:20:10 GMT

i am not sure i understood your question properly David.

with active active failover, the ASA will be configured with more than one context (usually), and failover status will be according to the failover-group, so certain contexts will be active on ASA1 standby on ASA2, while the other contexts will be active on ASA2 and standby on ASA1.

so at the end, each context is considered a firewall on its own, non related to other contexts.

so starting version 9.0.1, you can configure static L2L tunnels on each context as needed.

i hope that this answers your question, if not, please provide more details

Regards,

Othman

In high availability Active-Active or Active-Passive is VPN supp

david.tran — Wed, 13 Mar 2013 12:29:15 GMT

in Cisco ASA active/active firewalls, let say you have two network 192.168.1.0/24 and 191.268.2.0/24 behind the firewall trying to get to 1.1.1.1

Active/Active in Cisco ASA means that 192.168.1.0/24 will go through ASA1 and 192.168.2.0/24 will go through ASA2 to get to 1.1.1.1. It is like multiple HSRP group where ASA1 will be active for group 1 and ASA2 is standby for group 1 while ASA2 is active for group2 and ASA1 is standby for group2.

That is different than Active/Active than other vendors. When Active/Active, you can have the same 192.168.1.0/24 going across both firewall for the same destination 1.1.1.1

That's what I mean.

In high availability Active-Active or Active-Passive is VPN supp

oamarneh — Wed, 13 Mar 2013 12:37:11 GMT

to simplify it, each context will act as a separate firewall, and for a certain failover group, the context will be active on ASA1 and standby on ASA2, so traffic for the subnets behind that context will pass through the active firewall, not the standby.

traffic will not pass through both firewalls for the same context, its not actuall loadbalancing here, but more of load distribution between the 2 ASA units.

In high availability Active-Active or Active-Passive is VPN supp

david.tran — Wed, 13 Mar 2013 12:41:51 GMT

Thank you for the clarification. That's what I am afraid of. Cisco interpretation of "Active/Active" is not the same as other vendors. IMHO, it is mis-leasding. Basically, it has not changed since version 7.x

it is all in the fine print, not those big words

In high availability Active-Active or Active-Passive is VPN supp

oamarneh — Wed, 13 Mar 2013 13:02:28 GMT

it is actually active/active...since 1 device is active for a certain group of contexts, and the other device is active for the other group of contexts.

its like instead of having 10 contexts passing traffic on 1 device, you have 5 contexts passing traffic on ASA1 and the other 5 on ASA2, so it is achieveing reasonable load sharing so you not overwhelm 1 device with all that amount of traffic.

and you are correct, it is still the same concept as it was in version 7.x

In high availability Active-Active or Active-Passive is VPN supp

david.tran — Wed, 13 Mar 2013 13:39:16 GMT

it is active/active per virtual context but certain not active/active within a particular context.

I will give you an example. let say you have 192.168.1.0/24 and 192.168.2.0/24 and for the sake of the argument, you have 100Mbps on both ASA1 and ASA2 and that the network 192.168.1.0/24 and 192.168.2.0/24 is 1Gbps link.

Now let say that 192.168.1.0/24 needs to access 1.1.1.1 and ASA1 is active for .1.0/24 and ASA2 and standby for .1.0/24 and vice versa for .2.0/24. let assume that there are very little traffics on network 192.168.2.0/24.

based on cisco definition of active/active, you will max out @100Mbps on 192.168.1.0/24 getting to 1.1.1.1 on ASA1 while ASA2 is just sitting idle. For a true active/active, I should get 200Mbps.

that's why I said "Active/Active" in Cisco is kinda mis-leading... That's why you need to read the fine print