does it mean that you still have separate HSRP group for l2l vpn in Active/Active?  In other words, traffics from the same source going to the same destination will traverse only one ASA and that the other ASA will serve as standby?

i am not sure i understood your question properly David.

with active active failover, the ASA will be configured with more than one context (usually), and failover status will be according to the failover-group, so certain contexts will be active on ASA1 standby on ASA2, while the other contexts will be active on ASA2 and standby on ASA1.

so at the end, each context is considered a firewall on its own, non related to other contexts.

so starting version 9.0.1, you can configure static L2L tunnels on each context as needed.

i hope that this answers your question, if not, please provide more details

Regards,

Othman

in Cisco ASA active/active firewalls, let say you have two network 192.168.1.0/24 and 191.268.2.0/24 behind the firewall trying to get to 1.1.1.1

Active/Active in Cisco ASA means that 192.168.1.0/24 will go through ASA1 and 192.168.2.0/24 will go through ASA2 to get to 1.1.1.1.  It is like multiple HSRP group where ASA1 will be active for group 1 and ASA2 is standby for group 1 while ASA2 is active for group2 and ASA1 is standby for group2.

That is different than Active/Active than other vendors.  When Active/Active, you can have the same 192.168.1.0/24 going across both firewall for the same destination 1.1.1.1

That's what I mean.

to simplify it, each context will act as a separate firewall, and for a certain failover group, the context will be active on ASA1 and standby on ASA2, so traffic for the subnets behind that context will pass through the active firewall, not the standby.

traffic will not pass through both firewalls for the same context, its not actuall loadbalancing here, but more of load distribution between the 2 ASA units.

Thank you for the clarification.  That's what I am afraid of.  Cisco interpretation of "Active/Active" is not the same as other vendors. IMHO, it is mis-leasding.  Basically, it has not changed since version 7.x

it is all in the fine print, not those big words

it is actually active/active...since 1 device is active for a certain group of contexts, and the other device is active for the other group of contexts.

its like instead of having 10 contexts passing traffic on 1 device, you have 5 contexts passing traffic on ASA1 and the other 5 on ASA2, so it is achieveing reasonable load sharing so you not overwhelm 1 device with all that amount of traffic.

and you are correct, it is still the same concept as it was in version 7.x

it is active/active per virtual context but certain not active/active within a particular context.

I will give you an example.  let say you have 192.168.1.0/24 and 192.168.2.0/24 and for the sake of the argument, you have 100Mbps on both ASA1 and ASA2 and that the network 192.168.1.0/24 and 192.168.2.0/24 is 1Gbps link.

Now let say that 192.168.1.0/24 needs to access 1.1.1.1 and ASA1 is active for .1.0/24 and ASA2 and standby for .1.0/24 and vice versa for .2.0/24.  let assume that there are very little traffics on network 192.168.2.0/24.

based on cisco definition of active/active, you will max out @100Mbps on 192.168.1.0/24 getting to 1.1.1.1 on ASA1 while ASA2 is just sitting idle.  For a true active/active, I should get 200Mbps.

that's why I said "Active/Active" in Cisco is kinda mis-leading... That's why you need to read the fine print