Solved: ASA Expert Wanted | Active Active Failover Requirment

Jon Eyes · ‎12-18-2013

Hello Everyone,

We have two new ASA5515-X and im currently in planning phase of its deployment. Not sure if ASA can support these requirments

Here’s what we need to have in place

A. During normal operation, wherein both ASAs and ISPs are operational.
1. By default all traffic will be routed out through ASA1's interface g1 (outside) and some defined traffic will be routed out through ASA2's interface g2 (backup)
2. All incoming ISP1 traffic will be handled by ASA1's interface g1
3. All incoming ISP2 traffic will be handled by ASA2's interface g2

B. ASA1 failure, ASA2 and both ISPs are operational
1. By default all traffic will be routed out through ASA2's intergace g1 (outside) and some defined traffic will be routed out through ASA2's interface g2 (backup)
2. All incoming ISP1 traffic will be handled by ASA2's interface g1
3. All incoming ISP2 traffic will be handled by ASA2's interface g2

C. ASA2 failure, ASA1 and both ISPs are operational
1. By default all traffic will be routed out through ASA1's intergace g1 (outside) and some defined traffic will be routed out through ASA1's interface g2 (backup)
2. All incoming ISP1 traffic will be handled by ASA1's interface g1
3. All incoming ISP2 traffic will be handled by ASA1's interface g2

D. ISP1 failure, both ASAs and ISP2 are operational
1. All traffic will be handled by ASA2's interface g2 (backup)

E. ISP2 failure, both ASAs and ISP1 are operational
1. All traffic will be handled by ASA1's interface g1 (outside)

F. Item D + ASA2 failure
1. All traffic will be handled by ASA1's interface g2 (backup)

G. Item E + ASA1 failure
1. All traffic will be handled by ASA2's interface g1 (outside)

Note:
InterfaceG1 is nameif'ed outside and is connected to ISP1
InterfaceG2 is nameif'ed backup and is connected to ISP2

Also, as a follow up, per my initial findings I need to enable multiple context to achieve what us required. But we also need a VPN redundancy and failover. But I red somewhere that VPN is not supported in multiple context mode. This is in software version 8.x I think. Does software version 9.x already supports VPN in multi context mode? If not, what approach would you suggest to address these requirement?

Here's daigram of what im thinking

Your inputs is highly appreciated

Thanks everyone !

Karsten Iwen · ‎12-18-2013

One challenge in your scenario is to distribute the traffic to the right context. The internal network sees two gateways to the outside world and has to use the right gateway. In Active/Active that is not as easy as with Active/Standby.

the ASA9 supports VPN in A/A, but only site-to-site, no remote access.

Most of your requirements are possible with A/S which is much easier to implement. Only the part "some traffic to backup" is problematic if that is not based on the destination-address as the ASA doesn't have policy based routing.

Sent from Cisco Technical Support iPad App

View solution in original post

Karsten Iwen · ‎12-18-2013

One challenge in your scenario is to distribute the traffic to the right context. The internal network sees two gateways to the outside world and has to use the right gateway. In Active/Active that is not as easy as with Active/Standby.

the ASA9 supports VPN in A/A, but only site-to-site, no remote access.

Most of your requirements are possible with A/S which is much easier to implement. Only the part "some traffic to backup" is problematic if that is not based on the destination-address as the ASA doesn't have policy based routing.

Sent from Cisco Technical Support iPad App

Jon Eyes · ‎01-20-2014

hi karsten,

after lots of reading and suggestions from other including yours, i guess i have to go with active-standby.

Hope cisco finds a way of implementing this unusual deployment plan of mine.

thanks,

jon