Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
589
Views
0
Helpful
6
Replies

Failover Mechanism for Single Context Mode

Go to solution
fatalXerror
Level 5
Level 5

‎12-10-2014 01:32 AM - edited ‎03-11-2019 10:12 PM

Hi Security Experts,

 

Good Day!

 

Just want to have some inputs because my client said they want to have an Active/Active ASA firewall however they are still thinking if they will be using a multiple or single context mode.

 

Based on my research over the internet, Active/Active is only available on multiple context mode and Active/Standby in single context mode however, they have 1 ASA installed in production which is in multiple context but currently in Active/Standby. Is that really recommendable?

 

Thank you and have a nice day!

 

 

Cheers,

 

Niks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-10-2014 04:21 PM

Active-active is a bit of a misnomer (in my opinion) since a given context is always active / standby. It's more of a marketing term since with 2+ contexts one unit can be active for context A and the other unit active for context B etc.

As of ASA 9.2 you can run single context mid-range ASA's (or multiple context) as 2-node clusters. That may be a better solution for some - although you don't get 2x the performance (more like 1.2-1.4x), you do get true active-active.

(Of course the high end 5585 can scale up to 8-node clusters.)

 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-10-2014 04:21 PM

Active-active is a bit of a misnomer (in my opinion) since a given context is always active / standby. It's more of a marketing term since with 2+ contexts one unit can be active for context A and the other unit active for context B etc.

As of ASA 9.2 you can run single context mid-range ASA's (or multiple context) as 2-node clusters. That may be a better solution for some - although you don't get 2x the performance (more like 1.2-1.4x), you do get true active-active.

(Of course the high end 5585 can scale up to 8-node clusters.)

 

0 Helpful

Go to solution
fatalXerror
Level 5
Level 5
In response to Marvin Rhoads

‎12-10-2014 09:59 PM

Hi Marvin,

Good Day!

 

Thank you very much for the response. By the way, the ASA that we will be using is the ASA5585-X SSP-10.

Is the remote-access VPN already supported in the latest OS of the ASA in multiple context mode with Active/Active mechanism?

 

Thank you very much for your feedback.

 

Niks

0 Helpful

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to fatalXerror

‎12-11-2014 02:17 AM

Hi,

Only the Lan to Lan VPN is supported with Multiple context ASA 9.x.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Vibhor Amrodia

‎12-11-2014 06:53 AM

Right - there's no remote access VPN support on any multiple context ASA, no matter the software version.

Please take a moment to rate helpful posts.

0 Helpful

Go to solution
fatalXerror
Level 5
Level 5
In response to Marvin Rhoads

‎12-11-2014 07:38 PM

Hi Marvin,

Good Day!

 

Last question, how about a single-context mode with Active/Active mechanism, is the remote-access VPN supported in that setup?

 

Thank you very much for the help.

 

Niks,

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to fatalXerror

‎12-11-2014 08:01 PM

Active-active is a term used in ASA failover pairs. Active-active is only possible with multiple contexts and no remote access VPN is supported into multiple context ASA failover pairs.

If you have an ASA cluster (2-node or, on 5595-X, more) you still cannot use remote access VPN. Reference.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card