Active-Active Failover when different contexts monitor different interfaces

steven.crutchley · ‎04-05-2014

I'm trying to understand the relationship between failover groups and contexts, however it appears that the configuration is split in an way that I am having trouble understanding.

The interfaces that you actually monitor are configured PER CONTEXT e.g.

ciscoasa/ConextA(config)# monitor-interface inside

But the number of interfaces that need to fail for failover to take place is done PER FAILOVER GROUP e.g.

ciscoasa(config)# failover group 1

ciscoasa(config-fover-group)# interface-policy 1

(from the system context)

If my laptop could take it, I would spin up a test environment in GNS3, but I think the best way to ask the question is to give an example. What would happen in the following setup:

OPTION 1

OPTION 2

Thanks in advance

Marius Gunnerud · ‎04-07-2014

You would never have a scenario where, as you put it, the Admin context would monitor Gi0 and ContextB also monitor Gi0. This is because you need to assign the interface to a specific context and once it is assigned to one context it can not also be assigned to another...unless you have configured subinterfaces, then those subinterfaces can be split up and assigned to seperate contexts. But one interface or one subinterface can not be assigned to more than one context.

Now, if you have failover groups configured and an interface on one failover group dies, then only the context that the interface belongs to will failover to the standby failover group.

The following is a good article to have a read through on the Active/Active failover functions:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91336-pix-activeactive-config.html

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts