12-10-2014 01:32 AM - edited 03-11-2019 10:12 PM
Hi Security Experts,
Good Day!
Just want to have some inputs because my client said they want to have an Active/Active ASA firewall however they are still thinking if they will be using a multiple or single context mode.
Based on my research over the internet, Active/Active is only available on multiple context mode and Active/Standby in single context mode however, they have 1 ASA installed in production which is in multiple context but currently in Active/Standby. Is that really recommendable?
Thank you and have a nice day!
Cheers,
Niks
Solved! Go to Solution.
12-10-2014 04:21 PM
Active-active is a bit of a misnomer (in my opinion) since a given context is always active / standby. It's more of a marketing term since with 2+ contexts one unit can be active for context A and the other unit active for context B etc.
As of ASA 9.2 you can run single context mid-range ASA's (or multiple context) as 2-node clusters. That may be a better solution for some - although you don't get 2x the performance (more like 1.2-1.4x), you do get true active-active.
(Of course the high end 5585 can scale up to 8-node clusters.)
12-10-2014 04:21 PM
Active-active is a bit of a misnomer (in my opinion) since a given context is always active / standby. It's more of a marketing term since with 2+ contexts one unit can be active for context A and the other unit active for context B etc.
As of ASA 9.2 you can run single context mid-range ASA's (or multiple context) as 2-node clusters. That may be a better solution for some - although you don't get 2x the performance (more like 1.2-1.4x), you do get true active-active.
(Of course the high end 5585 can scale up to 8-node clusters.)
12-10-2014 09:59 PM
Hi Marvin,
Good Day!
Thank you very much for the response. By the way, the ASA that we will be using is the ASA5585-X SSP-10.
Is the remote-access VPN already supported in the latest OS of the ASA in multiple context mode with Active/Active mechanism?
Thank you very much for your feedback.
Niks
12-11-2014 02:17 AM
Hi,
Only the Lan to Lan VPN is supported with Multiple context ASA 9.x.
Thanks and Regards,
Vibhor Amrodia
12-11-2014 06:53 AM
Right - there's no remote access VPN support on any multiple context ASA, no matter the software version.
Please take a moment to rate helpful posts.
12-11-2014 07:38 PM
Hi Marvin,
Good Day!
Last question, how about a single-context mode with Active/Active mechanism, is the remote-access VPN supported in that setup?
Thank you very much for the help.
Niks,
12-11-2014 08:01 PM
Active-active is a term used in ASA failover pairs. Active-active is only possible with multiple contexts and no remote access VPN is supported into multiple context ASA failover pairs.
If you have an ASA cluster (2-node or, on 5595-X, more) you still cannot use remote access VPN. Reference.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide