cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6840
Views
10
Helpful
16
Replies

CISCO FIREPOWER 4120/ ASA Active/standby HA

JALALUDDEEN A A
Level 1
Level 1

HI all,

We have pair of Firepower 4120, and need to configure the active/ standby HA for ASA,

Do we have to create first cluster for the Firepower  and then add logical device as ASA right ?

Can i get good document to configure this ?

Please assist

1 Accepted Solution

Accepted Solutions

Hi yalmatra,

Firepower 21/41xx with ASA image:
How many “Logical Devices - ASA” supported? 

One.

How many context per “Logical Devices - ASA” supported?

4000/9000 Series support up to 250 context (10 included in base license). As for 2000 series... Cisco will add ASA support later on this year so there are no numbers published on how many security contexts it will support with ASA image.

Is “Logical Devices - ASA” +“Logical Devices - Firepower” supported?
You can either install ASA or FTD. You cannot run the classic ASA + FirePOWER Services on 2000/4000/9000 FP appliances


Are these “Logical Devices” fully independent?

Logical devices are independent of each other. In Case of FP 9300 you can have three logical devices running ASA/FTD - one on each blade.


What are the limitation of “Logical Devices” comparing to standalone ASA?

The logical device is basically just an abstraction of the OS running on the device. It can be compared to service profiles in UCS manager (logical device = identity of hardware) so there is no specific limitation to it... just think of it as an additional abstraction layer a s oposed to classic ASA 5500-X series.

Firepower 21/41xx Thread Defense image:
How many thread defense “Logical Devices ” supported on top of 21XX and 41XX?

One.

Is there something similar to ASA multi-context mode in Thread Defense “Logical Devices”?

Not yet. Multiple-Context mode is on the FTD roadmap, but due to other priorities it has been pushed back to 2018.
Are these “Logical Devices” fully independent?

Yes.

What are the limitation of “Logical Devices” comparing to standalone Thread Defense appliance (ASA55XX)?

See answer above for ASA logical device

Hope that answers your questions. :)

View solution in original post

16 Replies 16

Oliver Kaiser
Level 7
Level 7

Do you want to deploy FTD or ASA image on your firepower appliance?

In case you deploy the standard asa image, go ahead and create the logical device in Firepower Chassis Manager and configure HA via CLI / ASDM as always.

In case you deploy FTD, go ahead and create the logical device in Firepower Chassis Manager, add the devices to FMC and create an HA Pair at the devices configuration. (detailed info in the FMC configuration guide).

Thank you kaisero for your valuable rresponse,

I am bit confused here.

I have 2 Firepower 4100 Appliance,

So how i will built HA for Firepower 4100

Also for adding ASA and Configuring HA for ASA.?

 

Just to clarify. Your 4100 chassis runs a so-called "logical device" which is basically a container running either standard ASA operating system or the new FTD (Firepower Thread Defense) code which includes ASA + Firepower features with some limitations (e.g. no anyconnect).

In case you are running the ASA image on your 4100 you will not be able to use firepower features. Its either unified image or only asa features.

Since you asked about ASA Active/Standby HA, you may find the failover configuration guide here.

In case you havent built the logical devices on your Chassis manager yet you may refer to the following configuration guide here.

p.s. if anything is unclear please be more specific, you are being very vague.

Hi Kaisero,

i am pretty new to FTD and FPR4120-BUN chassis.

I have to configure ASA and HA for these devices.

Since the FPR4120-BUN using FXOS for intitital configuration i bit confused to start. Then i just put one management IP and kept like that.

I attached the product specification .I think its standard ASA operating system. Because i can see anyconnect license also included in specification

If then how we will get cli and asdm for the ASA ?

Previously i configured many 5525-X ,555X etc including firepower services and fire sight management.It's all went smoothly.

Please advise

Your BOM definetly looks like an ASA installation on FP4100. You have to deploy ASA image from your 4100 Chassis using CLI/UI (I would suggest the UI).

Use the following quickstart guide to deploy ASA from the Chassis Manager UI.

 

Hi Kaisero,

Thank you,

So i have to deploy both the chassis to stand alone ASA and then configure Active/Standby HA as we are doing early same like typical ASA appliance.

Can you please explain about the clustering ? Clustering for Fpr 4120 chassis or ASA ?

what will be the best solution ?

Yes, ASA is deployed as a so called logical device from the chassis manager. 4100 can run one logical device, 9300 could run 3 logical devices (using the 3 blades).

Then you configure all your standard ASA features from the logical device (ASA), including failover or clustering.

Think of the FX-OS as an abstraction layer to map physical interfaces to your actual firewall system. This system is kind of confusing on 4100 since you can only run one ASA on 4100 but makes a lot of sense for 9300 which can run 3 firewalls on the chassis.

So for this deployment i will not get FMC and firepower services. Only ASA features i can use.

Can i use ASDM as well ?

You may use ASDM to manage ASA, but if you are running the ASA image on 4100 you will not be able to use firepower services.

The only way to use firepower on the 4100 is running the new FTD image which merges ASA and Firepower Services into one image. Keep in mind that there is no feature parity for as asa features yet (no Multiple Context Mode, Anyconnect, etc. in FTD)

Hi,

Anyconnect is our major requirement for this deployment, then we cannot use FTD image and firepower service.

There is no other way to work full fludge ASA(all features) with firepower services using 4100 chassis. ?

This mean we could have go with standard 5555-x Series with firepower services in it.

Correct, there is no other way to get firepower services. FTD or ASA only.
In case the 5555-X would have matched your performance requirements you could have gone 5555-X with Firepower Services.

AnyConnect should be added to FTD in ~Q2 2017 but tbh I think Anyconnect will be added at the end of 2017 due to some stability issue atm.

Thanks kaisero,

You clarified all my doubts.

Will let you know incase anything i need regards this.

cheers

Hi Kaisero,

I'm watching the Thread it's really wealth of information here. I have few questions to you, if you could help me with :



I know the FTD does not support yet but was hoping to bounce some question I had myself about clustering and multicontext on the asa/4100


Firepower 21/41xx with ASA image:
· How many “Logical Devices - ASA” supported?
· How many context per “Logical Devices - ASA” supported?
· Is “Logical Devices - ASA” +“Logical Devices - Firepower” supported?
· Are these “Logical Devices” fully independent?
· What are the limitation of “Logical Devices” comparing to standalone ASA?

Firepower 21/41xx Thread Defense image:
· How many thread defense “Logical Devices ” supported on top of 21XX and 41XX?
· Is there something similar to ASA multi-context mode in Thread Defense “Logical Devices”?
· Are these “Logical Devices” fully independent?
· What are the limitation of “Logical Devices” comparing to standalone Thread Defense appliance (ASA55XX)?

Regards,

Hi yalmatra,

Firepower 21/41xx with ASA image:
How many “Logical Devices - ASA” supported? 

One.

How many context per “Logical Devices - ASA” supported?

4000/9000 Series support up to 250 context (10 included in base license). As for 2000 series... Cisco will add ASA support later on this year so there are no numbers published on how many security contexts it will support with ASA image.

Is “Logical Devices - ASA” +“Logical Devices - Firepower” supported?
You can either install ASA or FTD. You cannot run the classic ASA + FirePOWER Services on 2000/4000/9000 FP appliances


Are these “Logical Devices” fully independent?

Logical devices are independent of each other. In Case of FP 9300 you can have three logical devices running ASA/FTD - one on each blade.


What are the limitation of “Logical Devices” comparing to standalone ASA?

The logical device is basically just an abstraction of the OS running on the device. It can be compared to service profiles in UCS manager (logical device = identity of hardware) so there is no specific limitation to it... just think of it as an additional abstraction layer a s oposed to classic ASA 5500-X series.

Firepower 21/41xx Thread Defense image:
How many thread defense “Logical Devices ” supported on top of 21XX and 41XX?

One.

Is there something similar to ASA multi-context mode in Thread Defense “Logical Devices”?

Not yet. Multiple-Context mode is on the FTD roadmap, but due to other priorities it has been pushed back to 2018.
Are these “Logical Devices” fully independent?

Yes.

What are the limitation of “Logical Devices” comparing to standalone Thread Defense appliance (ASA55XX)?

See answer above for ASA logical device

Hope that answers your questions. :)

Review Cisco Networking for a $25 gift card