ASA Active Active

Unanswered Question
Feb 11th, 2010

Can I have Vpn lan to lan tunnels with an active active configuration on

a pair of Cisco 5520's.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Thu, 02/11/2010 - 08:10

You can, but you must go to the physical interface IP and not the virtual.

Hope that helps.

jilahbg Thu, 02/11/2010 - 09:53

Nope, when running in multiple context mode VPN is not supported.

Br Jimmy

Collin Clark Thu, 02/11/2010 - 11:26

There is no mention of multiple contexts.

jilahbg Thu, 02/11/2010 - 12:09

"Active active" implies multi-context.

Diego Armando C... Thu, 02/11/2010 - 12:21

Yes jilahbg

is right you cannot have VPN or Dynamic routing in an enviroment with multiple context. Failover A/A requires Multiple context

Collin Clark Thu, 02/11/2010 - 12:22

No it doesn't. I'm running an active/active pair w/o contexts.

jilahbg Thu, 02/11/2010 - 12:25

Do you have one or 2 physical units? How does the output of "show failover" (or is it "show standby") look like?

Diego Armando C... Thu, 02/11/2010 - 12:33
jilahbg Thu, 02/11/2010 - 12:34

+1

navypop42 Thu, 02/11/2010 - 12:45

I have configured 2 Cisco 5520 ASA's with active active and the main device

is up and the backup

is just in standby.

Thank You

Bill Murray

315-435-4768

315-264-9152

From: jilahbg

To: William Murray

Date: 02/11/2010 03:39 PM

Subject: New message: "ASA Active

Active"

navypop42,

A new message was posted in the Discussion thread "ASA Active Active":

https://supportforums.cisco.com/message/3017505#3017505

Author : jilahbg

Profile : https://supportforums.cisco.com/people/jilahbg

Message:

jilahbg Thu, 02/11/2010 - 12:56

Ok. What you have is an active/passive-configuration. Since the second unit is "just in standby" its not really active.

Since one context can never be active in two units simultanously there is no way to "load-share" in that setup. The only way to balance the load between multiple hardwares is to have multiple context and spread the active-unit for each context over the hardwares.

I personally dont like Cisco calling it "active/active". It is what I define as sales b*llsh*t. :-)

Br Jimmy

navypop42 Thu, 02/11/2010 - 13:15

Yes this is not being built as a load share but hot spare.

Thank You

Bill Murray

315-435-4768

315-264-9152

From: jilahbg

To: William Murray

Date: 02/11/2010 04:06 PM

Subject: New message: "ASA Active

Active"

navypop42,

A new message was posted in the Discussion thread "ASA Active Active":

https://supportforums.cisco.com/message/3017585#3017585

Author : jilahbg

Profile : https://supportforums.cisco.com/people/jilahbg

Message:

Diego Armando C... Thu, 02/11/2010 - 13:17

Well guys.

If you have 2 multiple context you can have 1 contect  active in an ASA and the another one active in the another ASA. So you will have them both active.!!!!!

Diego Armando C... Sun, 02/14/2010 - 06:27

Well, I'm not taking about VPN I.m taking about having 1 context active in an ASA and the another one in the another ASA.

http://www-uk.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml#lanbas

You said that this method is not really active/active. But if we can have a context active in each ASA what would that be?

Poonguzhali Sankar Sun, 02/14/2010 - 06:41

1. VPN is not supported in multiple context. http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/contexts.html#wp1146747

2. For active/active configuration, multiple context is minimum requirement. You can have a few contexts active in the primary firewall and a few other contexts active on the secondary firewall.  This way you can use both the pieces of hardware at the same time and one doesn't have to be sitting there idle waiting for the other one to fail.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_active.html#wp1065051

-KS

jilahbg Sun, 02/14/2010 - 08:14

The scope of this thread is VPN-functionality in active/active. That is not possible.

Your scenario with multiple contexts balanced over dual hardware is what Cisco calls active/active. I´ve never said the opposite.

Whatever, I think we all agree now on what is possible and not. Otherwise, please have a look at my blog post: http://blogg.kvistofta.nu/cisco-asa-activeactive-failover/

Br Jimmy

Actions

Login or Register to take actions

This Discussion

Posted February 11, 2010 at 7:50 AM
Stats:
Replies:17 Overall Rating:
Views:740 Votes:0
Shares:0
Tags: No tags.
 

Discussions Leaderboard

Rank Username Points
1
Jouni Forss
8,441
2
Julio Carvajal
6,228
3
Jon Marshall
3,370
4
Marvin Rhoads
2,538
5
Marius Gunnerud
1,721
Rank Username Points
Jon Marshall
50
Marius Gunnerud
48
Marvin Rhoads
44
Karsten Iwen
25
Andre Neethling
20