cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1723
Views
0
Helpful
5
Replies

ASA Active/Active HA Confusion

m1xed0s
Spotlight
Spotlight

Referring to ASA v9.12 CLI Guide here of the Active/Active HA and quoted below:   

 

If you want Active/Active failover, but are otherwise uninterested in multiple contexts, the simplest configuration would be to add one additional context and assign it to failover group 2.

 

Say I need Active/Active HA with a pair of ASA 5525-X but not plan to do multiple security contexts. I have the admin context as the only security context inspecting and forwarding data. I set the failover group 1 with ASA#1 as the active unit. Following the quoted statement above, I create a dummy context and join it to the failover group 2 with the ASA#2 as the active unit. So now wouldnt ASA#1 is active and ASA#2 is standby for failover group 1 as if it was the active/standby HA? Or I misunderstood it that there is no such concept as the standby anymore with the ASA Active/Active HA in multi-context mode?

1 Accepted Solution

Accepted Solutions

 

I think the confusion is because active/active cannot work for the same context so if you are just using one context you cannot have active/active failover for it, it is just active/standby. 

 

I agree the paragraph is misleading because it seems to be saying if you don't want multiple contexts here is a way to have active/active failover but it isn't because you have to have multiple contexts. 

 

It is in effect a circular argument and is there because in my opinion active/active is a misleading term, it is really active/standby per context with the ability to have each firewall active for a subset of the contexts.

 

But that doesn't sound as good in marketing terms :) 

 

Jon


 

View solution in original post

5 Replies 5

GRANT3779
Spotlight
Spotlight

I think I understand what you are asking.

 

In an active/active setup there is still an active/standby situation for each fail over group. The active/active is basically saying both firewalls can pass traffic, but for different fail-over groups at any one time. In a typical active/standby without contexts, one firewall will be passing traffic.

Active/Active does not mean there is no standby as such.

Thats what I thought but it is not what that quoted paragraph said in my post...

Active / Active is always multi context.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

 

I think the confusion is because active/active cannot work for the same context so if you are just using one context you cannot have active/active failover for it, it is just active/standby. 

 

I agree the paragraph is misleading because it seems to be saying if you don't want multiple contexts here is a way to have active/active failover but it isn't because you have to have multiple contexts. 

 

It is in effect a circular argument and is there because in my opinion active/active is a misleading term, it is really active/standby per context with the ability to have each firewall active for a subset of the contexts.

 

But that doesn't sound as good in marketing terms :) 

 

Jon


 

we are on the same page...:)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: