Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7512
Views
15
Helpful
5
Replies

Active/Active or Active/Standby

biplobkhan
Level 1
Level 1

‎07-30-2012 02:32 AM - edited ‎03-11-2019 04:36 PM

                   Hi

What is practically advantage of Active/Active ? if i do Active/Standby then any problem in my network ?

What is best practise ? please share.

Regards

Biplob

Labels:
0 Helpful
5 Replies 5

Ramraj Sivagnanam Sivajanam
Level 4
Level 4

‎07-30-2012 02:53 AM

As you already know, Cisco ASA supports two failover configurations, Active/Active Failover and Active/Standby Failover. Each failover configuration has its own method to determine and perform failover. With Active/Active Failover, both units can pass network traffic. This lets you configure "somewhat" load balancing on your network. Active/Active Failover is only available on units that runs in multiple context mode. With Active/Standby Failover, only one unit passes traffic while the other unit waits in a standby state. Active/Standby Failover is available on units that run in either single or multiple context mode. Both failover configurations support stateful or stateless (regular) failover.


Note: Dynamic routing and VPN failover, are amoung the few features, that is not supported on units that runs in multiple context mode.

Conclusion: If you don't need to enable Dynamic routing and VPN in your FW, go for ACTIVE/ACTIVE. This is Cisco's best practise.

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

nkarthikeyan
Level 7
Level 7

‎07-30-2012 03:42 AM

Hi Biplobkhan,

If you want to load balance your traffic to some extent then you can go for the Active-Active scenario where your ASA should be in multicontext mode. Lets say one context will have ASA1 as the primary and ASA2 as the secondary. The other context will have ASA2 as the primary and ASA1 as the secondary. So both the devices will take the traffic for different contexts and acts as a failover for the respective contexts.

Active/Standby will have always one device as the primary and another as the secondary. If primary(Active firewall) fails then the secondary becomes active.

So its up to you how you chose for your scenario.

Please do rate if the given information helps.

By

Karthik

0 Helpful

sean_evershed
Level 7
Level 7
In response to nkarthikeyan

‎07-30-2012 06:22 AM

Hi,

To quote from the confiuration guide,

"The type of failover you choose depends upon your ASA configuration and how you plan to use the ASAs."

For example if you have a pair of ASA terminating your Internet and VPN connectivity then choose Active/Standby.

See below a guide for Active/Active

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml#intro

Active/Standby guide

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#intro

0 Helpful

biplobkhan
Level 1
Level 1
In response to sean_evershed

‎07-30-2012 08:39 PM

HI

Thanks everyone for sharing of your strong exprience and Knowledge.

Regards

Biplob

0 Helpful

Ramraj Sivagnanam Sivajanam
Level 4
Level 4
In response to biplobkhan

‎07-30-2012 11:27 PM

Hi Bro

If you think the comments provided is helpful, please do rate them nicely :-) and mark this question as ANSWERED, so that the others too could learn from our experience.

Warm regards,
Ramraj Sivagnanam Sivajanam
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card