Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
446
Views
10
Helpful
5
Replies

Active/Active with single ISP?

Go to solution
jason.scott
Level 1
Level 1

‎04-03-2007 07:55 AM - edited ‎03-11-2019 02:55 AM

Can you have two ASA 5520s running as Active/Active when you have a single ISP and one security context (duplicated across both boxes)?

Or in this scenario can you only use active/standby?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
David White
Cisco Employee
Cisco Employee
In response to sebastan_bach

‎04-03-2007 08:11 PM

Hi Jason,

Unfortunately Active/Active requires multi-contexts. Additionally, the same context cannot be active on both units. (Ctx A will be active on unit 1, but standby on unit 2; Ctx B will be active on unit 2, but standby on unit 1).

Now, *if* you did configure only one context and also A/A, then it would be equivalent to active/standby (as that single context can only be active on a single box at a time).

Therefore, in the case you describe, I cannot see how A/A would work for you.

Sincerely,

David.

View solution in original post

Go to solution
David White
Cisco Employee
Cisco Employee
In response to jason.scott

‎04-04-2007 05:50 AM

Yes. In Active/Standby failover, it is the entire chassis that fails over (including whatever SSM module is in the chassis). So the newly active ASA and it's SSM module will be the one processing the traffic.

This is why we have the failover requirement that both boxes must have the exact same hardware (SSM module included).

Sincerely,

David.

PS> If this solves your issue, please don't forget to check the box to let us know.

View solution in original post

5 Replies 5

Go to solution
sebastan_bach
Level 4
Level 4

‎04-03-2007 06:03 PM

hi yes u can configure active /active with security context with 1 isp.

it should work.

regards

sebastan

0 Helpful

Go to solution
David White
Cisco Employee
Cisco Employee
In response to sebastan_bach

‎04-03-2007 08:11 PM

Hi Jason,

Unfortunately Active/Active requires multi-contexts. Additionally, the same context cannot be active on both units. (Ctx A will be active on unit 1, but standby on unit 2; Ctx B will be active on unit 2, but standby on unit 1).

Now, *if* you did configure only one context and also A/A, then it would be equivalent to active/standby (as that single context can only be active on a single box at a time).

Therefore, in the case you describe, I cannot see how A/A would work for you.

Sincerely,

David.

Go to solution
jason.scott
Level 1
Level 1
In response to David White

‎04-03-2007 11:11 PM

Thanks David, that sounds logical. I'll go for active/standby.

I haven't seen it mentioned in the manuals so far and you might also know this one :) - if both ASAs have an intrusion prevention module and a failover occurs, does the second box IPS module take over the functions of the first as well?

0 Helpful

Go to solution
David White
Cisco Employee
Cisco Employee
In response to jason.scott

‎04-04-2007 05:50 AM

Yes. In Active/Standby failover, it is the entire chassis that fails over (including whatever SSM module is in the chassis). So the newly active ASA and it's SSM module will be the one processing the traffic.

This is why we have the failover requirement that both boxes must have the exact same hardware (SSM module included).

Sincerely,

David.

PS> If this solves your issue, please don't forget to check the box to let us know.

Go to solution
jason.scott
Level 1
Level 1
In response to David White

‎04-04-2007 07:10 AM

Thanks :)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card