ASA multi-context with Firepower (sw-module) in active/standby mode ?

tonyppe · ‎12-22-2021

I need to locate the config guide that describes a supported design and configuration of the following concept:

2 x ASA 5545 (running ASA 9.12 code) active/standby with firepower services modules

multi-context - context1 active on asa1 and context2 active on asa2 (active/active)
FMCv ACPs when running in this mode

I havent been able to locate any information on this at all. The only info I could find is a single sentence in a "note" section that says firepower can support up to 10 contexts - but does not say how or how I should form the Access policies in FMC.

I have inherited this scenario and I am told that traffic is blocked when in failover mode. In FMC, module1 has ACP1 deployed and module2 has ACP2 deployed so it appears that FMC does not consider the failover scenario, such as when context1 fails over to ASA2 with module2 but context1 ACP policy is not yet deployed to module2.
I also want to confirm what happens when both context1 and context2 are running on ASA1 with regards to firepower - such as does firepower understand contexts and can send the correct traffic back to the correct ASA context.

Before I try and fix this by merging both ACPs into a single ACP I want to check what is the supported configuration - but I cannot find it at all.

Could anyone help?

Marvin Rhoads · ‎12-22-2021

The Firepower service modules know nothing about their respective ASAs being Active-Standby or multiple context.

As a result, any policies in the modules need to be universal to the context(s) that direct traffic to them.

rhuysmans · ‎12-22-2021

As Marvin said above, because the Firepower modules are separate from the ASA configs they don't care about the multi contexts or what the ASAs are doing. They just deal with the traffic that's sent to them. There should be just one AC policy in the FMC that is sent to both SFR modules. This policy usually checks for IPS, and/or URL filtering and Malware. The ASA still does the standard L3 allowing/blocking, with maybe some FQDN.

tonyppe · ‎12-23-2021

I was hoping for a supported configuration guide but I cannot find it.

Thanks anyway for your inputs.

rhuysmans · ‎12-23-2021

##- yeah, there isn't a supported config guide because they are two separate products with their own config requirements.

The ASA sends traffic to the module attached to it and that's about it. The SFR processes the traffic regardless of what config is on the ASA then send it back to to the ASA.

Merry Christmas.

Please type your reply above this line -##

René Huysmans

Senior Security Services Specialist
Infrastructure & Endpoint Security A/NZ

Phone : (+64)021 949 980
Email : rene.huysmans@nz1.ibm.com
30 Gaunt St,
Wynyard Quarters,
Auckland, 1010,
New Zealand

tonyppe · ‎12-23-2021

I have "ASA with Firepower services". I get what you're saying though I wish to configure X and there should be a guide for it to save any misconfiguration or issues. If they were indeed two separate appliances then they would be able to run independently of each other but this is not the case so I would respectfully disagree

Merry christmas to you also - hope you're not working today. I hope to be finishing up soon

Marvin Rhoads · ‎12-24-2021

There are guides for configuration of ASA with Firepower services, just not one that's specifically written for multi-context ASA. The reason being that the Firepower service module configuration doesn't differ at all from how it is configured with a single context ASA.

FYI 7.0 is the final release for ASA with Firepower services (for ASAs whose support hasn't already been previously discontinued).