Solved: Failover Mechanism for Single Context Mode

fatalXerror · ‎12-10-2014

Hi Security Experts,

Good Day!

Just want to have some inputs because my client said they want to have an Active/Active ASA firewall however they are still thinking if they will be using a multiple or single context mode.

Based on my research over the internet, Active/Active is only available on multiple context mode and Active/Standby in single context mode however, they have 1 ASA installed in production which is in multiple context but currently in Active/Standby. Is that really recommendable?

Thank you and have a nice day!

Cheers,

Niks

Marvin Rhoads · ‎12-10-2014

Active-active is a bit of a misnomer (in my opinion) since a given context is always active / standby. It's more of a marketing term since with 2+ contexts one unit can be active for context A and the other unit active for context B etc.

As of ASA 9.2 you can run single context mid-range ASA's (or multiple context) as 2-node clusters. That may be a better solution for some - although you don't get 2x the performance (more like 1.2-1.4x), you do get true active-active.

(Of course the high end 5585 can scale up to 8-node clusters.)

View solution in original post

Marvin Rhoads · ‎12-10-2014

Active-active is a bit of a misnomer (in my opinion) since a given context is always active / standby. It's more of a marketing term since with 2+ contexts one unit can be active for context A and the other unit active for context B etc.

As of ASA 9.2 you can run single context mid-range ASA's (or multiple context) as 2-node clusters. That may be a better solution for some - although you don't get 2x the performance (more like 1.2-1.4x), you do get true active-active.

(Of course the high end 5585 can scale up to 8-node clusters.)

fatalXerror · ‎12-10-2014

Hi Marvin,

Good Day!

Thank you very much for the response. By the way, the ASA that we will be using is the ASA5585-X SSP-10.

Is the remote-access VPN already supported in the latest OS of the ASA in multiple context mode with Active/Active mechanism?

Thank you very much for your feedback.

Niks

Vibhor Amrodia · ‎12-11-2014

Hi,

Only the Lan to Lan VPN is supported with Multiple context ASA 9.x.

Thanks and Regards,

Vibhor Amrodia

Marvin Rhoads · ‎12-11-2014

Right - there's no remote access VPN support on any multiple context ASA, no matter the software version.

Please take a moment to rate helpful posts.

fatalXerror · ‎12-11-2014

Hi Marvin,

Good Day!

Last question, how about a single-context mode with Active/Active mechanism, is the remote-access VPN supported in that setup?

Thank you very much for the help.

Niks,

Marvin Rhoads · ‎12-11-2014

Active-active is a term used in ASA failover pairs. Active-active is only possible with multiple contexts and no remote access VPN is supported into multiple context ASA failover pairs.

If you have an ASA cluster (2-node or, on 5595-X, more) you still cannot use remote access VPN. Reference.