As you already know, Cisco ASA supports two failover configurations, Active/Active Failover and Active/Standby Failover. Each failover configuration has its own method to determine and perform failover. With Active/Active Failover, both units can pass network traffic. This lets you configure "somewhat" load balancing on your network. Active/Active Failover is only available on units that runs in multiple context mode. With Active/Standby Failover, only one unit passes traffic while the other unit waits in a standby state. Active/Standby Failover is available on units that run in either single or multiple context mode. Both failover configurations support stateful or stateless (regular) failover.
Note: Dynamic routing and VPN failover, are amoung the few features, that is not supported on units that runs in multiple context mode.
Conclusion: If you don't need to enable Dynamic routing and VPN in your FW, go for ACTIVE/ACTIVE. This is Cisco's best practise.
P/S: If you think this comment is useful, please do rate them nicely :-)
Ramraj Sivagnanam Sivajanam
Technical Specialist/Service Delivery Manager – Managed Service Department
If you want to load balance your traffic to some extent then you can go for the Active-Active scenario where your ASA should be in multicontext mode. Lets say one context will have ASA1 as the primary and ASA2 as the secondary. The other context will have ASA2 as the primary and ASA1 as the secondary. So both the devices will take the traffic for different contexts and acts as a failover for the respective contexts.
Active/Standby will have always one device as the primary and another as the secondary. If primary(Active firewall) fails then the secondary becomes active.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :