Thanks.  I have a pair of 5585-X running 9.1 code.  So maybe I'm confusing myself.  When you do active/active you basically create two contexts and one is primary and the other is backup/secondary.  However since each context exists on both appliances that's treated as active/active?  Am I correct on that?  How would I then configure different security contexts if I want a production firewall and a separate development firewall?

Hi,

In an Active/Active Failover pair you basically have 2 ASA firewalls that are configured to "mode multiple" and are therefore in Multiple Context Mode (which is naturally a requirement for Active/Active)

When you initially change the ASA to "mode multiple" it will convert its current configuration (if I remember correctly) to be the configuration of the "context admin". This Security Context will be the management Context of the Failover Pair and you will therefore have to connect to the ASA through one of its interfaces to have access to all the Security Contexts. The "admin" Context isnt counted when counting the amount of Security Contexts. (For Licensing purposes that is)

You then create a basic Failover configuration between the 2 physical ASA units like any other Failover Pair. These configurations are done in the System Context space.

You also configure 2 Failover Groups. Each Failover group can be defined to use whichever ASA as their default Active device. When you have decided that, you can attach context to either of the 2 Failover Groups. In a 2 Security Context environment you would naturally keep one Context in Group 1 and one Context in Group 2 and have each of the Contexts Active in different physical device to balance the use of the devices.

If either of the physical devices would happen to fail, the other unit will take the Active role for the failed units Context. You can also configure a "preempt" feature under the Failover Group configurations which will define a timeframe after which the original Active device will take over after it has first recovered from its problem.

Your question of how to configure this is quite broad to really give any specific answer.

We dont know anything about the rest of the devices in the network and how you are going to attach the ASAs to the network (Ethernet / Fibre (or was it Fiber )), how the interfaces will be configured (Trunk with subinterfaces, Normal Routed ports or perhaps a Port-channel with or without Trunk) and how many interfaces do you need to use in each context, just to name a few.

- Jouni

Oh, I see.  It's a single 10 gig fiber from each ASA in the pair to a 6509-E in a pair for internal and another single 10 gig to a pair of 3560 switches for outside.  The 6509-Es are configured in non-VSS mode.  Likely each context will only need 1 interface but I'm still in the middle of figuring out the best way to handle the default route to these two contexts from the 6509s.

If you have problems with routing you could naturally isolate the routing tables of production and development network to their own VRF instances instead of having them both in the global routing table on the 6509s.

- Jouni

Thanks. One last question. I made sub-interfaces and assigned one of each to a new context and that is working fine.  What about the admin context?  Is it best practice to SSH/ASDM into one of the contexts and then use changeto to get to admin/system or should i make another sub-interface on different vlan and allocate that to the admin context?