12-10-2014 01:32 AM - edited 03-11-2019 10:12 PM
Hi Security Experts,
Good Day!
Just want to have some inputs because my client said they want to have an Active/Active ASA firewall however they are still thinking if they will be using a multiple or single context mode.
Based on my research over the internet, Active/Active is only available on multiple context mode and Active/Standby in single context mode however, they have 1 ASA installed in production which is in multiple context but currently in Active/Standby. Is that really recommendable?
Thank you and have a nice day!
Cheers,
Niks
Solved! Go to Solution.
12-10-2014 04:21 PM
Active-active is a bit of a misnomer (in my opinion) since a given context is always active / standby. It's more of a marketing term since with 2+ contexts one unit can be active for context A and the other unit active for context B etc.
As of ASA 9.2 you can run single context mid-range ASA's (or multiple context) as 2-node clusters. That may be a better solution for some - although you don't get 2x the performance (more like 1.2-1.4x), you do get true active-active.
(Of course the high end 5585 can scale up to 8-node clusters.)
12-10-2014 04:21 PM
Active-active is a bit of a misnomer (in my opinion) since a given context is always active / standby. It's more of a marketing term since with 2+ contexts one unit can be active for context A and the other unit active for context B etc.
As of ASA 9.2 you can run single context mid-range ASA's (or multiple context) as 2-node clusters. That may be a better solution for some - although you don't get 2x the performance (more like 1.2-1.4x), you do get true active-active.
(Of course the high end 5585 can scale up to 8-node clusters.)
12-10-2014 09:59 PM
Hi Marvin,
Good Day!
Thank you very much for the response. By the way, the ASA that we will be using is the ASA5585-X SSP-10.
Is the remote-access VPN already supported in the latest OS of the ASA in multiple context mode with Active/Active mechanism?
Thank you very much for your feedback.
Niks
12-11-2014 02:17 AM
Hi,
Only the Lan to Lan VPN is supported with Multiple context ASA 9.x.
Thanks and Regards,
Vibhor Amrodia
12-11-2014 06:53 AM
Right - there's no remote access VPN support on any multiple context ASA, no matter the software version.
Please take a moment to rate helpful posts.
12-11-2014 07:38 PM
Hi Marvin,
Good Day!
Last question, how about a single-context mode with Active/Active mechanism, is the remote-access VPN supported in that setup?
Thank you very much for the help.
Niks,
12-11-2014 08:01 PM
Active-active is a term used in ASA failover pairs. Active-active is only possible with multiple contexts and no remote access VPN is supported into multiple context ASA failover pairs.
If you have an ASA cluster (2-node or, on 5595-X, more) you still cannot use remote access VPN. Reference.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: