cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
962
Views
0
Helpful
3
Replies
Logan Kampsnider
Beginner

ASA 5585 Active/Active Questions

Hello,

We purchased (2) Cisco ASA 5585X firewalls and would like to do Active/Active with multiple-context firewalls on them. I have a couple questions that I haven't been able to answer myself through Cisco docs or Google that I'm hoping someone here has experience with or knows the answer.

Pre-Question Information: We plan on using both Failover Groups to load balance 4 context firewalls between our ASAs, so 2 on each ASA.

Questions

1. When enabling multi-context mode, I understand that the "admin" context will have the management IP configured on it and you would use that to SSH into the ASA and manage all contexts. Since each context has an active/standby IP address assigned to it and the admin context is part of Failover Group 1, what happens when Failover Group 1 needs to failover all if its contexts to the other ASA? Does it also failover the admin context, thereby requiring me to use the management IP that I normally used to connect into the primary ASA, to connect to the secondary ASA now?

2. When using multi-context mode, I understand that each IP address assigned within a context needs an active and standby IP assigned. This implies that any IP assigned to the context firewall could change the ASA that it is active on during a failover scenario. I would like to assign each ASA in the Active/Active cluster an IP address in our routing VLAN that will not switch between ASAs, regardess if one fails. Is this possible to do when multi-context mode is on? Basically, is there anyway to configure an interface to NOT failover in a failover situation with Active/Active?

Thanks all, I appreciate any help on this.

Logan

3 REPLIES 3
vishaw jasrotia
Beginner

Hey

Here is the reply to your Questions.

Q1> Either ASA will goes down or the interface in that group goes down.

When you use ASA in failover ,  your Primary IP will remain same on both the firewall , but IP is active on the Primary ASA.

Q2> Yes you can , but for that you need to creat a context , assing that particular interface to that context.

Thanks

Hi Vishaw,

Thank you for your reply. I'm not sure I understand your explanation of question one. Perhaps I am misunderstanding how context firewalls work in an Active/Active configuration. I'm under the impression that the admin context, which is part of Failover Group 1, can only be active on one ASA and standby on another. The IP for the admin context is the system management IP that you use to SSH. In a failover situation for the primary ASA, the Failover Group 1 would cease being active on the primary ASA and become active on the secondary. This would make the active management IP now present on the secondary ASA, which to me doesn't seem right as it would cause a lot of confusion as to which device you're SSH'd into.

As for the second question, you say to assign an interface to a context. However, aren't contexts only active only active on one firewall at a time? This would mean our secondary ASA wouldn't be able to participate in that context and assume an IP address in that same routing subnet.

I think I may have a fundamental misunderstanding on how contexts work in an Active/Active setup, but I cannot find any further explanation in Cisco docs.

Thanks,

Logan

"I'm under the impression that the admin context, which is part of Failover Group 1, can only be active on one ASA and standby on another. The IP for the admin context is the system management IP that you use to SSH. In a failover situation for the primary ASA, the Failover Group 1 would cease being active on the primary ASA and become active on the secondary. This would make the active management IP now present on the secondary ASA, which to me doesn't seem right as it would cause a lot of confusion as to which device you're SSH'd into."

 

I know this is an old conversation but I thought I would add clarity.  The admin context DOES in fact move from A -> B.  It sends out a reverse ARP.  If you were to be on the admin and something went askew, you would be dropped from admin and need to connect again.  

 

"However, aren't contexts only active only active on one firewall at a time? This would mean our secondary ASA wouldn't be able to participate in that context and assume an IP address in that same routing subnet."

 

So in order for it to work properly on A/A (per my understanding) you have to be able to fail over.  However, you could turn off monitoring on that firewall port on both ASA's.  Meaning if you had port 4 on both ASA firewalls plugged in, you can turn off monitoring for A/A (or A/S for that matter) and it would just "die" on that interface.  This would then fail to cause the context to flip over to the other ASA.  However, since you have to have 100% parity (meaning the same on each firewall) - there really isn't a good reason to NOT have it do this.  You do not want to over-subscribe the ASA's unless you REALLY have to. If you need something to just die, you may want to look at a purpose built ASA or A/S set.