Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
835
Views
5
Helpful
2
Replies

Deciding on failover strategy for ASA5520

Go to solution
e.dannstedt
Level 1
Level 1

‎10-22-2011 03:26 AM - edited ‎03-11-2019 02:41 PM

Hello community!

I'm not very experienced in ASA failover designs, have over the years worked with 5505 & 5510's.

With two 5520 on my hands right now I need to decide on the best failover design to meet the goal.

The ASA group needs to provide VPN (site-site and support Cisco old fashioned VPN clients) and also serve as an internet facing firewall. Not many interfaces will be created.

Would active/active failover be a possible configuration considering the VPN setup? Can active/active be used to let one 5520 performance deal with VPN and the other handle the firewall (until failover occurs where one would handle both jobs)?

Will the failover design affect the ability of administration using ASDM? I need to make sure that a small tech group can use ASDM for monitoring and some basic tasks.

Appreciate any kind of input!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-22-2011 11:42 AM

You cannot run active/active and VPNs, it is not supported.

If you want to run VPNs then you need to use active/standby. active/active is probably not what you want anyway as it is not true active/active. With the ASAs you can have multiple virtual firewalls (contexts) on the same box. For active/active you need to run at least 2 contexts ie.

c1 = context 1

c2 = context 2

asa1 can be active for c1 and asa2 is standby for c1

asa2 can be standby for c2 and asa2 2 is active for c2

but you couldn't have asa1 and asa2 active for the same context.

With active/standby the failover design doesn't really affect using ASDM as you only update the active firewall. I generally use the CLI and not ASDM but it can be useful for people not too familiar with the CLI.

Jon

View solution in original post

2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-22-2011 11:42 AM

You cannot run active/active and VPNs, it is not supported.

If you want to run VPNs then you need to use active/standby. active/active is probably not what you want anyway as it is not true active/active. With the ASAs you can have multiple virtual firewalls (contexts) on the same box. For active/active you need to run at least 2 contexts ie.

c1 = context 1

c2 = context 2

asa1 can be active for c1 and asa2 is standby for c1

asa2 can be standby for c2 and asa2 2 is active for c2

but you couldn't have asa1 and asa2 active for the same context.

With active/standby the failover design doesn't really affect using ASDM as you only update the active firewall. I generally use the CLI and not ASDM but it can be useful for people not too familiar with the CLI.

Jon

Go to solution
e.dannstedt
Level 1
Level 1
In response to Jon Marshall

‎10-23-2011 04:50 AM

Great,

that was just what I was looking for. I did actually set it up (active/active) and noticed that it was no longer possible to configure VPN's.

I did have some issues going from active/active to active/passive. I'm sure it's possible but I had to forcefully remove everything and set it up again in active/passive.

Thanks!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card