03-29-2016 07:19 PM - edited 03-12-2019 12:33 AM
hi,
i know this could be done with active-active ASA setup but i'm not sure what's new with the ASA 9.x image.
all links that i've searched were already outdated and used pre 9.x code.
can someone advise or point me to a link that we can run ASA 9.4(2) with multiple context in active-standby?
Solved! Go to Solution.
03-29-2016 07:45 PM
Yes, it's supported.
See the ASA 9.4 configuration guide which states:
You can use Active/Standby failover for ASAs in single or multiple context mode.
Link: http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/general/asa-94-general-config/ha-failover.html#ID-2107-0000000a
03-29-2016 07:45 PM
Yes, it's supported.
See the ASA 9.4 configuration guide which states:
You can use Active/Standby failover for ASAs in single or multiple context mode.
Link: http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/general/asa-94-general-config/ha-failover.html#ID-2107-0000000a
03-29-2016 08:09 PM
marvin,
thanks for the link!
have you personally tried this out?
any caveat that i should be aware of?
i encountered a small trouble when i first ran IPsec VPN on ASA context using 9.x image where i just added the limit-resource vpn under the 'admin' context and then it worked afterwards.
03-29-2016 08:46 PM
You're welcome.
I've done it the lab and production. Almost every ASA that's worth doing multiple context will also use HA.
The only caveat that ever bit me was lack of multicast support between contexts. That got me when we were trying to do OSFP routing among different contexts.
Remote access VPN had not traditionally been supported but that changed as of 9.5(2).
I'm actually setting up my first production multiple context HA pair with remote access VPN on a current project. If you're running multiple context with remote access VPN, there are a few caveats. No clientless, no web launch etc. Those are spelled out n the 9.5 and later configuration guides.
03-29-2016 09:34 PM
thanks for sharing your invaluable insights!
just curious, do you create a document here in cisco or host a blog with your experiences?
03-30-2016 06:00 AM
I've done a small handful of document postings here in the network management forum. No formal blogs per se.
Between doing this sort of work full time, posting here and studying for my CCIE Security my bandwidth is about maxed out. :)
03-30-2016 08:14 PM
marvin,
good luck on your CCIE Sec!
i might go on the same route soon. need to do my CCIE R/S first :)
appreciate your time and input in CSC security forum.
makes our lives (and job) easier :)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: