Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
800
Views
0
Helpful
1
Replies

Active/Active Failover in Multiple Security Contexts w/ Dual ISP

flynnR
Level 1
Level 1

‎06-02-2011 10:56 AM - edited ‎03-11-2019 01:41 PM

I have an ASA5520 in location A with an ISP connection and a matching ASA5520 in location B with a separate ISP connection.

We have fiber connecting the two locations and vlans passing back and forth so I will be able to configure the failover via a vlan as well as extend the ISP's to each location via vlans. The Active/Active configuration with the multiple security contexts does not seem to be an issue but how is a redundant ISP configured in this mode?

We want to have context A using the ASA in location A with ISP1 as the primary and failing over to ISP 2 in locaiton B

We also want to have context B using the ASA in location B with ISP 2 as the primary and failing over to ISP1 in location A

Would route tracking provide the desired result? Is there a better option?

Thanks for the assistance.

Bob

Labels:
0 Helpful
1 Reply 1

brquinn
Level 1
Level 1

‎06-06-2011 06:53 AM

Bob,

Currently route tracking and dynamic routing protocols are only supported in single context mode. You could setup each ASA to be independant and rely on your routing protocols to detect a failure. The downside here is that connections will not be replicated between firewalls.

If you setup HSRP on the outside of both context interfaces, this will allow the outside routers to determine the best path to the correct ISP. The only problem then would be the routes to the active public address on each context. You would have to work with your ISP to work out these details for redundancy.

I hope this helps.

Thanks,

Brendan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card