Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
365
Views
0
Helpful
2
Replies

about ASA ACTIVE/ACTIVE

yang yang
Level 1
Level 1

‎08-26-2015 01:15 AM - edited ‎03-11-2019 11:29 PM

hi all

      i am realy have trouble to understand ASA firewall's ACTIVE/ACTIVE mode, and router support's HSRP/VRRP/GLBP. the only thing i know about it by all reading is, ACTIVE/ACTIVE provide all line(e.g two line at same time pass different set of traffic ) routing and  have high avibility. but for what i know about routing the router do have this loadbalance + failover by use HSRP/VRRP/GLBP and the ASA do support the them why shoud ASA use the  ACTIVE/ACTIVE that can have trouble like uRPF or even have problem on some VPN link. can some one give some explain this to me?

 

Labels:
0 Helpful
2 Replies 2

Maykol Rojas
Cisco Employee
Cisco Employee

‎08-26-2015 11:40 AM

Hi; 

 

Think the ASA on Active/Active as creating VRFs on a router, that way would be simpler. Only one context can be active in each of the firewalls so all routing problems or VPN issues will not apply. It is just virtual firewalls. 

 

In fact, you can have all the Contexts, (virtual firewalls) configured in just one ASA, the fact that makes it Active/Active is that some of the contexts are Active in one ASA and some others are active in another ASA. 

Mike. 

Mike
0 Helpful

yang yang
Level 1
Level 1
In response to Maykol Rojas

‎08-26-2015 05:46 PM

i am new to this ASA Active/Active so correct me if i am wrong

so what you  means is:
                                                                                         --othere end of device inetrfasce-- router 1
ASA 1 ---interface0/0--                                                      --other end of device interrface -- router 2  
                   ---virtual-like one interface for ASA-- +switch-  --other end of device interface-- server 2
ASA 2 ---interface0/0--                                                        --other end of device interface -- server1


all the router and serverd  area see the ASA1 and ASA2 as one link or one firewall.
is this graphic explain the thing you area talk about?


but if this is the case then ,  i will have double Active/Active that will have many to many relation to other end servers and routers, and if the router end and sever end do not have any NAT setting then will lead to uRPF.the only way i know to solve it to increase the interface active can use phycial interface or can use sub interface over ASA side. to make the relastion ship act as one tp many. and will have hard time when doing troubshooting. if that is true than why need the Active/Active at all simple add new interface to relate to each other end device will be much easy to manage.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card