Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
492
Views
2
Helpful
7
Replies

disable a context for one of the ASA (active-active mode )

hamidreza.taghipur
Level 1
Level 1

‎01-08-2024 02:41 AM

i have 2 asa in active/active mode
context1 active in ASA1(primary unit)
context2 active in ASA2(sec unit)
everything is ok

when failover link will be down , primary and secondry unit will be active for both of them ( it is normal behavior )
but i want when my failover link will be down , primary unit active for one of them , and secondry unit will be active one of them .
how do i do it ?
OR
how do i suspend or disable a context for one of the asa (not remove)?
i dont want one of the ASA transmit both of contexts traffic that a same time when failover link will be down

 

My Config :

failover
failover lan unit primary
failover lan interface ACTIVEFOLINK GigabitEthernet0/5
failover key test
failover link SATETEFULL GigabitEthernet0/4
failover interface ip ACTIVEFOLINK 192.168.22.1 255.255.255.0 standby 192.168.22.2
failover interface ip SATETEFULL 192.168.23.1 255.255.255.0 standby 192.168.23.2
failover group 1
preempt 120
replication http
failover group 2
secondary
preempt 120
replication http


admin-context admin
context admin
allocate-interface Management0/0
config-url disk0:/admin.cfg
!

context context1
allocate-interface GigabitEthernet0/0.96 visible
allocate-interface GigabitEthernet0/2.50 visible
config-url disk0:/context1.cfg
join-failover-group 1


context context2
allocate-interface GigabitEthernet0/3.51 visible
allocate-interface GigabitEthernet0/3.57 visible
config-url disk0:/context2.cfg
join-failover-group 2

 

0 Helpful
7 Replies 7

MHM Cisco World
VIP
VIP

‎01-08-2024 03:00 AM

you can config ASA for load balance 
making one ASA as active for context 1 and other ASA as active for context 2 

the fail over link down is not healthy status and you can not control which one is active and standby 

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎01-08-2024 05:50 AM

Done use EEM 

Failover link down is not healthy and can make issue in your network.

Config context to be load between two FW 

If you make FW standalone then you loss high availability.

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎01-08-2024 05:53 AM - edited ‎01-09-2024 02:16 AM

share show fail over <- let see what status the both ASA run now (in healthy status)|
thanks 

MHM

0 Helpful

Marius Gunnerud
VIP
VIP
In response to MHM Cisco World

‎01-09-2024 12:08 AM

@MHM Cisco World The poster already has an Active/Active setup providing load-balancing.  The issue is how this setup behaves during a specific failure situation, and in this case that is when the failover link is down for whatever reason.  Of course when any link is "down" it is not healthy and should be fixed ASAP, but how the setup behaves during the failure situation and until it is fixed is what this topic is about, and the only way I see to do what is being asked is using EEM or some other automation tool.

Alternatively, we could discuss if this is the best setup for the requirements.  Perhaps looking into having the ASAs in a cluster setup is a better solution.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

MHM Cisco World
VIP
VIP
In response to Marius Gunnerud

‎01-09-2024 02:18 AM

thanks for your reply 
Yes what is my concern the EEM in not healthy status is not solve 
BUT sure cluster is so so better 
thanks again 
MHM

0 Helpful

Ruben Cocheno
Spotlight
Spotlight

‎01-08-2024 03:25 AM

@hamidreza.taghipur 

I don't believe that you can disable a Firewall context, it was not designed for it that way as you want to have redundancy if something goes wrong with one appliance. If you require to not have the other firewall process the traffic from another context, so you either split the firewalls and move into standalone mode, or try to disable the interfaces that belong to the failed context. This option requires manual intervention.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

Marius Gunnerud
VIP
VIP

‎01-08-2024 05:34 AM

Passing all traffic through a single ASA in an Active/Active setup when the failover link is down might be a little tricky.  You might be able to do something using EEM where you look for the failover link down situation and then either perform a failover, or shutdown all the data interfaces (I think you need to monitor the interfaces for this to work).  It might be more complicated than what it is worth but it is an option.

EEM example: https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117883-config-eem-00.html

As mentioned by @Ruben Cocheno there is no way of "disabling" a context.  You would either need to have both contexts active on the same ASA or find some "hack" as I mentioned above using EEM or something else.

--
Please remember to select a correct answer and rate helpful posts
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card