cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


375
Views
0
Helpful
5
Replies
Highlighted
Beginner

ASA Active/Active HA Confusion

Referring to ASA v9.12 CLI Guide here of the Active/Active HA and quoted below:   

 

If you want Active/Active failover, but are otherwise uninterested in multiple contexts, the simplest configuration would be to add one additional context and assign it to failover group 2.

 

Say I need Active/Active HA with a pair of ASA 5525-X but not plan to do multiple security contexts. I have the admin context as the only security context inspecting and forwarding data. I set the failover group 1 with ASA#1 as the active unit. Following the quoted statement above, I create a dummy context and join it to the failover group 2 with the ASA#2 as the active unit. So now wouldnt ASA#1 is active and ASA#2 is standby for failover group 1 as if it was the active/standby HA? Or I misunderstood it that there is no such concept as the standby anymore with the ASA Active/Active HA in multi-context mode?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Guru

Re: ASA Active/Active HA Confusion

 

I think the confusion is because active/active cannot work for the same context so if you are just using one context you cannot have active/active failover for it, it is just active/standby. 

 

I agree the paragraph is misleading because it seems to be saying if you don't want multiple contexts here is a way to have active/active failover but it isn't because you have to have multiple contexts. 

 

It is in effect a circular argument and is there because in my opinion active/active is a misleading term, it is really active/standby per context with the ability to have each firewall active for a subset of the contexts.

 

But that doesn't sound as good in marketing terms :) 

 

Jon


 

5 REPLIES 5
Frequent Contributor

Re: ASA Active/Active HA Confusion

I think I understand what you are asking.

 

In an active/active setup there is still an active/standby situation for each fail over group. The active/active is basically saying both firewalls can pass traffic, but for different fail-over groups at any one time. In a typical active/standby without contexts, one firewall will be passing traffic.

Active/Active does not mean there is no standby as such.

Beginner

Re: ASA Active/Active HA Confusion

Thats what I thought but it is not what that quoted paragraph said in my post...

VIP Advisor

Re: ASA Active/Active HA Confusion

Active / Active is always multi context.

 

BB
*** Rate All Helpful Responses ***
Hall of Fame Guru

Re: ASA Active/Active HA Confusion

 

I think the confusion is because active/active cannot work for the same context so if you are just using one context you cannot have active/active failover for it, it is just active/standby. 

 

I agree the paragraph is misleading because it seems to be saying if you don't want multiple contexts here is a way to have active/active failover but it isn't because you have to have multiple contexts. 

 

It is in effect a circular argument and is there because in my opinion active/active is a misleading term, it is really active/standby per context with the ability to have each firewall active for a subset of the contexts.

 

But that doesn't sound as good in marketing terms :) 

 

Jon


 

Beginner

Re: ASA Active/Active HA Confusion

we are on the same page...:)