Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
337
Views
0
Helpful
1
Replies

ASA-X multiple context mode and CX

Go to solution
vitekabc1
Level 1
Level 1

‎07-03-2014 09:08 PM - edited ‎03-11-2019 09:25 PM

We have ASA 5555X with two contexts and AVC, WSE, IPS licensed activated.  All upgraded with latest software ASA9.2 and CX 9.3

Plan to create two contexts, one for Internet  and one for partners, each context has active context in one  physical box and standby context in another physical box for load balancing and HA,  AVX,WSE & IPS CX filter is only enabled in Internet context, Is this design  fully supported ?

(Not able to run clustering due to physcial and switch limitation).

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-04-2014 08:20 AM

The current CX releases support multiple context ASA configurations. The only caution is that a given CX only supports a single set of policies but in your use case that shouldn't be an issue.

Whether one, the other or both contexts direct traffic to the CX module for inspection via a service-policy it will work OK and is a supported configuration. You cannot differentiate policies inside the CX based on which context the traffic comes from but as long as you're OK with that restriction, there should be no issue.

If you're running in an HA pair (or have more CX modules elsewhere), it's recommended to use the separately licensed multiple device mode PRSM in a separate VM to keep the policies synchronized between the CX instances. Otherwise you need to make every change exactly the same in both CX units of an HA pair - there's no synchronization like there is in the base ASA when using single device mode (on-box) PRSM.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-04-2014 08:20 AM

The current CX releases support multiple context ASA configurations. The only caution is that a given CX only supports a single set of policies but in your use case that shouldn't be an issue.

Whether one, the other or both contexts direct traffic to the CX module for inspection via a service-policy it will work OK and is a supported configuration. You cannot differentiate policies inside the CX based on which context the traffic comes from but as long as you're OK with that restriction, there should be no issue.

If you're running in an HA pair (or have more CX modules elsewhere), it's recommended to use the separately licensed multiple device mode PRSM in a separate VM to keep the policies synchronized between the CX instances. Otherwise you need to make every change exactly the same in both CX units of an HA pair - there's no synchronization like there is in the base ASA when using single device mode (on-box) PRSM.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card