Individual Admin Contexts on Active/Active pair...

Unanswered Question
Mar 10th, 2009

Quick question:

Customer is building a management network within the overall data network.

Customer has a pair of ASA's doing Active/Active multi-context with IPS modules. These ASA's are located in two different data centers served by two different service providers.

Customer wants to establish a third new device management Admin context to exist in their L3 device mgmt VRF, but exist along side the existing production data contexts.

Question: in this above configuration, is there any requirement for Admin contexts to be configured in a failover arrangement on the pair of ASA's doing Active/Active for the other contexts, such that they require the same L2 connectivity between the firewalls for a given context?

Or, can the Admin context(s) on each firewall exist independently using unique IP addresses...

(This approach would require no additional L2 span between the data centers where each physical ASA is located, and would allow each firewall to be individually accessed through it's won unique IP address, i.e. the FW's, from an admin perspective, would exist on two different VLANs)?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vikram_anumukonda Tue, 03/10/2009 - 23:32

"The admin context is always assigned to failover group 1"

so, you cannot have admin contexts exist independently ( one will be active and the other standby )

HTH

Vikram

mprescher Wed, 03/11/2009 - 09:28

Thanks - that is how I interpreted this line as well. Any admin context (and you only get one per firewall, would appear in the same failover group, so, 1) they would be failover partners of one another and 2) the ASA would view Any L3 addressing for the context as being required to be within the same VLAN.

Actions

This Discussion