07-17-2012 09:27 AM - edited 03-11-2019 04:31 PM
Hello,
I have a pair of ASA 5520s operating in failover pair as active/standby, having two contexts on them.
I am planning to share the load and make it active/active making first context active on the primary unit and second context active on the secondary unit.
My question is if this will disrupt any connectivity thru these firewalls when I do "no failover" on the active/standby and assign the contexts to different failover groups and enable the failover back.
Thanks!
07-17-2012 09:48 AM
Hi Bro
Yes, when migrating from ACTIVE/STANDBY setup to ACTIVE/ACTIVE multi-context setup, there will be network outage as the configuration of the Cisco ASA FW changes. If fact, the first step is to change the Cisco ASA FW to run in mode multiple. This itself require a reboot on both the Cisco ASA FW :-)
If you know what you’re doing, I would guess a 15min network outage is needed for this exercise.
P/S: If you think this comment is helpful, please do rate it nicely :-)
07-17-2012 09:56 AM
Hi Ramraj,
the existing configuration which is active/standby is already multicontext "mode multiple" is already there.
So reboot is not required.
07-17-2012 10:01 AM
Hi Bro
Thanks for the update, but still you'll need to create 2 contexts, each context will be ACTIVE on different Cisco ASA FW units. Hence, there will be some cut, copy and paste effort, not forgetting recabling, if that's needed. Here's a Cisco document to configure ACTIVE/ACTIVE for those who can't seem to find this document http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml#req
Conclusion: There will be some network downtime. I'm guessing 15min, if it was me :-)
P/S: If you think this comment is helpful, please do rate it nicely :-)
07-17-2012 10:23 AM
Thanks for the reply, but I don't need to create contexts, I have them already created on the active/standby pair.
I just need to create two failover groups and assign them accordingly.
My guess is that if there is no failover for the moment of this works, both contexts are supposed to be available on the primary unit until I get the failover back configured for active/active.
07-17-2012 10:41 AM
Hi Bro
I think it's either I've misunderstood you or you've misunderstood me with regards to this subject. In creating ACTIVE/ACTIVE Failover, you'll need to have at least 2 contexts e.g. USER CONTEXT and SERVERFARM CONTEXT. USER CONTEXT will be ACTIVE in Cisco ASA FW1 and SERVERFARM CONTEXT will be ACTIVE in Cisco ASA FW2. With this, then you create 2 FAILOVER groups PRIMARY and SECONDARY, and assigned them to the respective contexts.
In a ACTIVE/STANDBY Failover, you only have is a single context. Would you like to paste your latest show running-config here so that I could explain this further to you?
07-17-2012 10:51 AM
Hi Ramraj,
I don't need explanation thanks. I know what I am doing and I will consider what you mentioned here as well.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: