04-03-2007 07:55 AM - edited 03-11-2019 02:55 AM
Can you have two ASA 5520s running as Active/Active when you have a single ISP and one security context (duplicated across both boxes)?
Or in this scenario can you only use active/standby?
Solved! Go to Solution.
04-03-2007 08:11 PM
Hi Jason,
Unfortunately Active/Active requires multi-contexts. Additionally, the same context cannot be active on both units. (Ctx A will be active on unit 1, but standby on unit 2; Ctx B will be active on unit 2, but standby on unit 1).
Now, *if* you did configure only one context and also A/A, then it would be equivalent to active/standby (as that single context can only be active on a single box at a time).
Therefore, in the case you describe, I cannot see how A/A would work for you.
Sincerely,
David.
04-04-2007 05:50 AM
Yes. In Active/Standby failover, it is the entire chassis that fails over (including whatever SSM module is in the chassis). So the newly active ASA and it's SSM module will be the one processing the traffic.
This is why we have the failover requirement that both boxes must have the exact same hardware (SSM module included).
Sincerely,
David.
PS> If this solves your issue, please don't forget to check the box to let us know.
04-03-2007 06:03 PM
hi yes u can configure active /active with security context with 1 isp.
it should work.
regards
sebastan
04-03-2007 08:11 PM
Hi Jason,
Unfortunately Active/Active requires multi-contexts. Additionally, the same context cannot be active on both units. (Ctx A will be active on unit 1, but standby on unit 2; Ctx B will be active on unit 2, but standby on unit 1).
Now, *if* you did configure only one context and also A/A, then it would be equivalent to active/standby (as that single context can only be active on a single box at a time).
Therefore, in the case you describe, I cannot see how A/A would work for you.
Sincerely,
David.
04-03-2007 11:11 PM
Thanks David, that sounds logical. I'll go for active/standby.
I haven't seen it mentioned in the manuals so far and you might also know this one :) - if both ASAs have an intrusion prevention module and a failover occurs, does the second box IPS module take over the functions of the first as well?
04-04-2007 05:50 AM
Yes. In Active/Standby failover, it is the entire chassis that fails over (including whatever SSM module is in the chassis). So the newly active ASA and it's SSM module will be the one processing the traffic.
This is why we have the failover requirement that both boxes must have the exact same hardware (SSM module included).
Sincerely,
David.
PS> If this solves your issue, please don't forget to check the box to let us know.
04-04-2007 07:10 AM
Thanks :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide