08-30-2010 10:48 PM - edited 03-11-2019 11:32 AM
Hello Dears,
Question-1:Can we have a 2 ASA Active Active in single mode.
Answer:
What I know about context is:
Question-2: If we have 2 ASA with Context-A and Context-B,then ASA-1 will be active for Context-A and standby for Context-B, For ASA-2 Context-B wil be Active and ASA-1 will be standby. Please correct me if i m wrong???????????
Answer:
Thanks,
Solved! Go to Solution.
08-31-2010 05:04 PM
Estela,
Thanks for the .png attachment. What halijenn said as not supportes is this
Context 1 can only process traffic from and to 10.1.1.0/24
Context 2 can only process traffic from and to 10.1.2.0/24
or they can switch roles and
Context 1 can process traffic from and to 10.1.2.0/24
Context 2 can process traffic from and to 10.1.1.0/24
at no time can both contexts process traffic for both 10.1.1.0/24 and 10.1.2.0/24
act/act failover can only load balance PER CONTEXT basis and not load balance over all traffic. Is this clear? If not pls. post your question.
-KS
08-31-2010 09:46 PM
Yes, you are absolutely correct.
08-30-2010 10:51 PM
Question-1: No, ASA needs to be in multiple context mode to support more than one context.
Question-2: Yes, you can configure that both context A and B to be active on ASA-1, or alternatively you can configure context A to be active on ASA-1 and context B to be active on ASA-2.
Hope that answers your questions.
08-30-2010 10:51 PM
Hello,
You can certainly have multiple contexts being active on a single firewall.
The failover pair is just for redundancy.
Here is a useful link on configuring multiple context firewall.
http://cisco.biz/en/US/products/hw/vpndevc/ps2030/products_configuration_exa
mple09186a00808d2b63.shtml
Hope this helps.
Regards,
NT
08-30-2010 11:08 PM
Hello Dears,
In single customer do we need to create Multiple context????? . As i m sure we don't need but if so i want, then can i communicate between context's.suppose If i m creating context in single customer that means i m seperating subnets vlan's of the customer??? please correct me if i m wrong???
Thanks.
08-31-2010 01:53 AM
Definitely need to be in multi context mode before you can configure any context within an ASA.
It requires a reboot when you change the ASA from single to multi context mode, and to run Active-Active failover, the ASA needs to be in multi context mode.
08-31-2010 04:48 AM
Hello Halijenn,
I m planning to configure ASA for 1 customer,and he is insisting to configure in multiple context mode so that he can achieve Active Active session from the firewall. ASA dedicated to 1 customer do we really need to create multiple context within that customer????
USER GUIDE SAYS:
Multiple security contexts in the following situations: Please answer the question below.
• You are a service provider and want to sell security services to many customers. By enabling
multiple security contexts on the security appliance, you can implement a cost-effective,
space-saving solution that keeps all customer traffic separate and secure, and also eases
configuration.
OK,
• You are a large enterprise or a college campus and want to keep departments completely separate.
Answer: when Department don't want to speak to each other,,please correct me if i m wrong.????? If the department want to coummnicate then we would have created?????
• You are an enterprise that wants to provide distinct security policies to different departments.
Answer: ??????
• You have any network that requires more than one security appliance
Answer: what can be this situation.?????????
Thanks
08-31-2010 05:53 AM
The answer is no, and please educate the customer that Active/Active does not mean traffic is load balanced between 2 ASAs automatically.
Supported: Active/Active means that the customer can direct their traffic into 2 for example: subnet 10.1.1.0/24 to be routed through ASA-1 (which hosts context-1), and subnet 10.1.2.0/24 to be routed through ASA-2 (which hosts context-2).
Not Supported: What Active/Active can't do is route both 10.1.1.0/24 and 10.1.2.0/24 through something like VRRP address and ASA dynamically load balance the traffic between the 2 firewalls.
08-31-2010 03:16 PM
halijenn wrote:
The answer is no, and please educate the customer that Active/Active does not mean traffic is load balanced between 2 ASAs automatically.
Supported: Active/Active means that the customer can direct their traffic into 2 for example: subnet 10.1.1.0/24 to be routed through ASA-1 (which hosts context-1), and subnet 10.1.2.0/24 to be routed through ASA-2 (which hosts context-2).
Not Supported: What Active/Active can't do is route both 10.1.1.0/24 and 10.1.2.0/24 through something like VRRP address and ASA dynamically load balance the traffic between the 2 firewalls.
Thanks for ur precious help,
Please find the attached,
We have to manually load balance the traffic to ASA-1 OR ASA-2 if we are creating a context's as per the attached diagram. correct me if i m wrong????
Can't understood perfectly the below lines can u explore more???????
Not Supported: What Active/Active can't do is route both 10.1.1.0/24 and 10.1.2.0/24 through something like VRRP address and ASA dynamically load balance the traffic between the 2 firewalls.
ANSWER:
08-31-2010 05:04 PM
Estela,
Thanks for the .png attachment. What halijenn said as not supportes is this
Context 1 can only process traffic from and to 10.1.1.0/24
Context 2 can only process traffic from and to 10.1.2.0/24
or they can switch roles and
Context 1 can process traffic from and to 10.1.2.0/24
Context 2 can process traffic from and to 10.1.1.0/24
at no time can both contexts process traffic for both 10.1.1.0/24 and 10.1.2.0/24
act/act failover can only load balance PER CONTEXT basis and not load balance over all traffic. Is this clear? If not pls. post your question.
-KS
08-31-2010 09:43 PM
Hello Halijenn/Kusankar,
Thanks for Exploring the Answer:2 NOT SUPPORTED,it is very much clear to me now.
For Answer 1 SUPPORTED :Is the below statement correct ???
We have to manually direct the traffic to ASA-1 OR ASA-2 if we are creating a context's as per the attached diagram in my previous mail. Correct me if i m wrong????.
08-31-2010 09:46 PM
Yes, you are absolutely correct.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide