cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
482
Views
0
Helpful
5
Replies

ASA multiple context pre routing

dan.letkeman
Level 4
Level 4

Hello,

 

I am trying to understand all of my options for routing to two different ASA's in active/active mode, which requires multiple context mode.

 

I have an existing 4500E switch behind a single ASA 5520 right now, and the default gateway that the 4500E advertises to my internal networks is the ip address of the 5520.  I would like to replace the existing 5520 with two 5525-x ASA's and have them setup in active/active mode.

 

Currently I have 12 locations terminated with fiber to the 4500E and from there its default gateway is the existing single ASA that I have.  From what I understand, with the new design I have to make the ASA's into multiple context mode in order to do active/active failover , and load balance between the two ASA's.

 

What I don't want to have to do is put a policy route on each incoming fiber port and policy route traffic based on source IP.  I think this would be a huge waste of resources and complicate the setup on the 4500E.  Is there any other way to accomplish this besides policy routing or a separate switch between the ASA's and the 4500E?

 

Thanks,
Dan.

1 Accepted Solution

Accepted Solutions

I see multiple context most often used where I have distinct security policies, often in multi-tenant (or distinct business unit) use of a given firewall. In such a case, Active-Active allows us to spread the load across the units while having redundancy.

Most installations I have seen (actually all - and I've worked with hundreds of ASAs in dozens of enterprises) use bigger firewalls to get more throughput. A few use VPN clustering or round robin DNS for remote access VPN gateways on the ASA platform. The few Active-Active setups I've come across have all had one of the use cases I mentioned just now.

You're right that clustering does have a number of features that don't work in distributed mode.

View solution in original post

5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

While you CAN do what you're describing with an Active-Active multiple context pair, that's not really what those features are designed for.

You would have to, as you surmised, handle the routing downstream using something like PBR (or possibly VRFs). I'd stay away from that solution as it would introduce a fair amount of complexity in your core with little to no added value (in my opinion).

A 5525-X already will have 1.5-2x the performance of your old 5520. The second unit will give you high availability in an HA pair.

If you're feeling adventurous, you can now (as of 9.1(4)) run a 2-member cluster with the 5500-X series below the 5585. That will give you the increased performance (~50% boost in connection/sec, 70% boost in total throughput vs. a single unit) while sticking with a single context. It does have the downside though in the event of a single member failure of throttling you back to the throughput of a single unit.

What else would you use active/active for?  I'm looking at it from a stand point of being able to scale one ASA 5525 into two ASA 5525 for double the throughput instead of having to buy a 5545.

Hmmm, so I would have to setup a switch cluster between the 4500E and the ASA's.....that would add too much cost...

Clustering is of no use, as AVC / WSE / VPN is not available on the secondary ASA then.  So there would be no point.  Active/active mode at lease allows for use of all of the features.

I see multiple context most often used where I have distinct security policies, often in multi-tenant (or distinct business unit) use of a given firewall. In such a case, Active-Active allows us to spread the load across the units while having redundancy.

Most installations I have seen (actually all - and I've worked with hundreds of ASAs in dozens of enterprises) use bigger firewalls to get more throughput. A few use VPN clustering or round robin DNS for remote access VPN gateways on the ASA platform. The few Active-Active setups I've come across have all had one of the use cases I mentioned just now.

You're right that clustering does have a number of features that don't work in distributed mode.

Ah, so what you are saying is that I should just buy a single ASA that is large enough for the next three years and then just replace don't scale.

Well I'm on the post-sales side but the pre-sales guys would most likely advise you that way - that is consistent with the Cisco reference approaches. It is how I've almost always seen it in the production settings I've worked on.

Your decision should take what anyone says as one input in a decision making process that is informed by your requirements and projections in the context of your business environment.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: