Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
934
Views
0
Helpful
3
Replies

active/active in Single Context Mode?

CAR IT
Level 1
Level 1

‎11-14-2018 01:25 PM - edited ‎02-21-2020 08:28 AM

We're deploying two 5516Xs tonight, and I had taken for granted the config because I couldn't pre-assign IPs because they will be replacing our current firewalls that use the same IPs.

 

So I've held off until today, and now we're staging things and I wanted to get the preliminary failover configured. A little background: I took the config from our old 5510 (pre 8.3) and converted it (some by hand, some by the new ASA, some with conversion tools) to be used on the new 5516.

 

Thing is, our old pair was running active/active in Single Context Mode, so I was going to do that. But everything I've read (including the HA wizard in ASDM) says I must convert to Muli Context Mode. For the meantime, I was going to set them up as active/standby and further investigate what the ramifications are for Multi Context and active/active.

 

My questions are: if I were to convert them both to Multi Mode before the installation, will it materially change things on the ASA such that it would impede tonight's install, or will putting it in active/standby present a problem later when I want to set them to Muli Context? Can they safely be set up with "fake" IPs to get them paired and changing them to the correct production IPs won't cause some unintended problem?

 

Thanks!

 

Steve

0 Helpful
3 Replies 3

mkazam001
Level 3
Level 3

‎11-14-2018 01:54 PM

active/active is only allowed in multi-context mode

you do have the option of leaving as single-conext mode & setting up HA as active/standby

multi-mode mode means using security contexts and if you've not worked with them before, it can take some getting used to the different contexts - may require additonal planning

just in case you don't know already, multi-mode will require security contexts license if you require more than 2 contexts if i remember correctly

i would normally convert both ASA separately to multi-mode first, then configure active/standby failover - so the config would be copied from the Primary to Standby

for testing phase, you can configure any IPs you want and use real ones when required

 

regards, mk

please rate if helpful or solved :)

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎11-14-2018 02:02 PM

There is no reason for Acitive / Active in single context. what is the use case here ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-14-2018 05:58 PM

You probably don't want multiple context mode.

 

If you should decide that you do, despite advice otherwise, be VERY careful when converting. As soon as you change from single ti multiple context mode the existing configuration will be completely lost. You will need to recreate it on one of the new contexts so make sure you understand it completely and have an offline backup.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card