Active/Active and Active/Standby Failover

gnaveen · ‎12-19-2010

What are the advantages/disadvantages of configuring Active/Active vs Active/Standby Failover for Cisco ASA 5510?

Which one should be preferred over the other?

What's the Best Practice followed when configuring failover?

-NG

Jennifer Halim · ‎12-19-2010

Active/Standby failover works in both single mode or multiple context mode. It provides hot standby and replicates all the stateful information from active to standby firewall.

Active/Active failover only works in multiple context mode. Example: if you have 5 context, you can have 2 active on the primary firewall, and 3 active on the secondary firewall. When primary firewall fails, the 2 context who was active on the primary firewall will failover to the secondary firewall. After failover, the secondary firewall will have 5 active context.

Hope that helps.

gnaveen · ‎12-19-2010

We have Checkpoint Firewall and being new to Cisco ASA may I ask this question - what is a context mode?

Jennifer Halim · ‎12-19-2010

Context is virtual firewall. So within 1 physical ASA firewall you can create multiple virtual firewalls.

Here is a sample configuration for multiple context that would help you to understand the concept better:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml

junaidnasir · ‎12-08-2015

Hi Jennifer, please suggest that will the firewalls (ASA 5585) in Active/Standby failover with multiple context support SSL VPN. Because I had to know from somewhere that with Active/Active firewalls mode we cannot go with SSL VPN.

Andre Neethling · ‎12-08-2015

In order to run Active/Active you need to run "multiple contexts". When you enable "multiple mode" you lose certain functionality. Remote access VPN is one of them.

junaidnasir · ‎12-08-2015

thanks for replying,

tell me one thing if i go for Active/Standby failover that works in both single mode or multiple context mode

so then Remote Access VPN will work only in single mode or in both modes...

Andre Neethling · ‎12-08-2015

Remote access VPN only works in "single mode"

junaidnasir · ‎12-09-2015

hi andre,

there is anyway to achieve load balancing with active/standby mode in ASA 5585... I am really worried about that , I have to do load balancing and remote access SSL VPN...

Andre Neethling · ‎12-10-2015

Hi. Unfortunately I don't think that's going to work. There is a VPN clustering feature in Version 9.0 but not for Firewall traffic.

junaidnasir · ‎04-05-2016

Hello,

can someone share me the advantages and disadvantages of Active/Active and Active/Passive modes of ASA-5585... better if you a document..

thanks in advance

junaidnasir · ‎04-05-2016

Hello,

can someone share me the advantages and disadvantages of Active/Active and Active/Passive modes of ASA-5585... better if you a document..

thanks in advanc

db1852341 · ‎11-07-2017

Thanks.

scawlding1 · ‎12-15-2017

Hi Jennifer,

I was just following up on your response as I have a similar query about the active/active v active/standby licence on ASA5510 as both seem to be available (optional) with a Security Plus licence but Active/Active seems to be the default. How can this be changed to an Active/Standby setup because when I try to install Anyconnect licences it states that the failover will be disabled. We do not require multiple contexts so the Active/Standby setup would work fine.

Carl