cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2381
Views
5
Helpful
9
Replies

ASA Active/Active FO

snarayanaraju
Level 4
Level 4
Hi Experts,

I am analysing ASA / FWSM active / active configuration. I understood that two context has to be created minimum to achieve this task. I also
understood that each context will be in different network.

If so and If I have only one network say VLAN 5 (192.168.1.0/ 24), is it possible to achive Active/Active failover for  the users.?

Please help to clarify and thanks in advance

sairam
1 Accepted Solution

Accepted Solutions

Hi,

so, 1.5 sec delay cannot be avoided even when the firewall is configured in Active/Active . Am i correct ??  --- Yes..

In both the failover scenarios (active-active and active - standby) we cannot avoid this situation.When we are doing faiolver in live network,For data traffic there will no impact  but voice traffic will get impact.

Hope this will helps you to understand.

Karuppuchamy CCIE(R&S),CCSP

View solution in original post

9 Replies 9

Hi,

We can configure PIX/ASA/FWSM in the following scenarios.

1.atleast we have to configure 2 contexts and we have to allocate these context into failover groups

2.If you are running the firewall in routing mode then atleast you should have minimum 2 networks i.e) one inside interface and other one is outside interface per context.

3.If you want to configure in FWSM same condition needs to be apply as i said in point number 2.

For further more information, please have a look in this file from cisco.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtmlhttp://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml

Thanks

Karuppuchamy, CCIE(R&S)

Hi Karuppuchamy,

Thanks for your prompt response.

Your quoted point are acceptable and I am aggreeing cent percent.

But my questio is very specific. Let me repeat it again for your best understanding..

"If I have only one VLAN (network), whether it is possobile to have Active/Active FO, so that traffic from these network will pass through both the Firewalls

Thanks in advance

sairam

Sairam,

If you have only one vlan what is the need for a firewall? To firewall this one vlan's traffic from going where? Is this an internet facing firewall? Why do you want this traffic to traverse both context? Is there assymetry involved? One reason to go active active is to allow assymeterical traffic but, now with the latest code we have tcp state-bypass to accomplish that.

Active active is configured so we can load balance and use both the firewalls by, making some contexts active on one firewall while having the other contexts active on the other firewall so, the expensive piece of hardware is not sitting dormant waiting to function only when there is a problem with one firewall.

-KS

Hi sankar,

Thanks for your response.

Yes I have one VLANs say VLAN 1 as INSIDE users. This Firewall is internet facing and have 2 Zones INSIDE & OUTSIDE

My understanding is CONTEXT A in Firewall 1 is ACTIVE & CONTEXT B in Firewall 2 is active. Whether both CONTEXTs can be in same network as VLAN 1 network

Also I understand that VLAN 1 users have default gateway as Either as CONTEXT A or CONTEXT B. If Both these Contexts should be in different network, how will be the default gateway of the INSIDE users

Firewall is not intelligently load balance the traffic as GLBP do. I think Firewall Active / Active is just work like MHSRP. Is it so??

Whether My understanding is correct.? Expecting your valuable comments please

sairam

Hi,

Weather both context can be in the same network --- yes, it can be,because it's routing table and cfg files all together different.so we can use the same network for different context.

when we are using the same network segement that is vlan 1 in both context,

if the we are using different ip's for both context, then the user has to change his gateway.If the user want to send the traffic via context A then he has to change his gateway IP as context A vlan1 ip address and vice-versa.

If we are using the same ip address for both context A and context B then it may lead into ARP entry problem.becuase you have to connect the firewall into L2 switch,where all the users are connected.

Firewall is not intelligently load balance the traffic  --- Yes.It will not to load balance intellegently.Active-Active fsailover in the sense, we can the user firewall hardware efficiently.nothing more.rest-all it is just like active-standby.

In Active-Standby failover, one firewall will always sit idle...there is no use of that firewall.If Primary fails,then only it wil be useful.To avoid these issues,

we can configure active-active failover.We can use the hardware efficiently.

Hope this will help u.


Karuppuchamy CCIE(R&S),CCSP

Hi Karuppuchamy,

I have to appreciate your involvement and sharing your ideas with me. Thanks

Your answer mentioning that Firewall will not loadbalance intelligently like GLBP is very convincing and reasurring my understanding on the logic behind Cisco Active/Active. FW A/A logic is similar to MHSRP (A set of devices will have Context A as Default Gateway & another a set of devices will have Context B as Default Gateway

So I assume that, Active/Active will not solve the Failover time (Minimum Hello 500ms and Holdtime ) so, 1.5 sec delay cannot be avoided even when the firewall is configured in Active/Active . Am i correct ??

Hope you will clarify this also

sairam

Hi,

so, 1.5 sec delay cannot be avoided even when the firewall is configured in Active/Active . Am i correct ??  --- Yes..

In both the failover scenarios (active-active and active - standby) we cannot avoid this situation.When we are doing faiolver in live network,For data traffic there will no impact  but voice traffic will get impact.

Hope this will helps you to understand.

Karuppuchamy CCIE(R&S),CCSP

Thanks Karuppachmi,

I will rate this as extremly helpful and answer. Thanks

sairam

Hi,

You can also achieve load balancing without splitting the devices into different sets and setting them different Default GWs. If you have routers in front of and behind the firewalls (contexts), that are capable of doing equal path load balancing (IOS routers and L3 switches do), you can let the router to manage the load balancing, either per-flow or even per-packet. The 'per-flow' method is the default and recommended, especialy if there are firewalls in the mid-path. In the IOS case the load balancing is supported with both static and dynamic routing. Having CEF enabled on the routers and having equal routing path costs all the way router-to-router for each L3 path are critical to get things realy work.

HTH.

Regards,

Vasil

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: