cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
468
Views
0
Helpful
6
Replies

Failover Mechanism for Single Context Mode

fatalXerror
Enthusiast
Enthusiast

Hi Security Experts,

 

Good Day!

 

Just want to have some inputs because my client said they want to have an Active/Active ASA firewall however they are still thinking if they will be using a multiple or single context mode.

 

Based on my research over the internet, Active/Active is only available on multiple context mode and Active/Standby in single context mode however, they have 1 ASA installed in production which is in multiple context but currently in Active/Standby. Is that really recommendable?

 

Thank you and have a nice day!

 

 

Cheers,

 

Niks

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

Active-active is a bit of a misnomer (in my opinion) since a given context is always active / standby. It's more of a marketing term since with 2+ contexts one unit can be active for context A and the other unit active for context B etc.

As of ASA 9.2 you can run single context mid-range ASA's (or multiple context) as 2-node clusters. That may be a better solution for some - although you don't get 2x the performance (more like 1.2-1.4x), you do get true active-active.

(Of course the high end 5585 can scale up to 8-node clusters.)

 

View solution in original post

6 Replies 6

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

Active-active is a bit of a misnomer (in my opinion) since a given context is always active / standby. It's more of a marketing term since with 2+ contexts one unit can be active for context A and the other unit active for context B etc.

As of ASA 9.2 you can run single context mid-range ASA's (or multiple context) as 2-node clusters. That may be a better solution for some - although you don't get 2x the performance (more like 1.2-1.4x), you do get true active-active.

(Of course the high end 5585 can scale up to 8-node clusters.)

 

Hi Marvin,

Good Day!

 

Thank you very much for the response. By the way, the ASA that we will be using is the ASA5585-X SSP-10.

Is the remote-access VPN already supported in the latest OS of the ASA in multiple context mode with Active/Active mechanism?

 

Thank you very much for your feedback.

 

Niks

Hi,

Only the Lan to Lan VPN is supported with Multiple context ASA 9.x.

Thanks and Regards,

Vibhor Amrodia

Right - there's no remote access VPN support on any multiple context ASA, no matter the software version.

Please take a moment to rate helpful posts.

Hi Marvin,

Good Day!

 

Last question, how about a single-context mode with Active/Active mechanism, is the remote-access VPN supported in that setup?

 

Thank you very much for the help.

 

Niks,

Active-active is a term used in ASA failover pairs. Active-active is only possible with multiple contexts and no remote access VPN is supported into multiple context ASA failover pairs.

If you have an ASA cluster (2-node or, on 5595-X, more) you still cannot use remote access VPN. Reference.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers