Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Active/Active with single ISP?

Can you have two ASA 5520s running as Active/Active when you have a single ISP and one security context (duplicated across both boxes)?

Or in this scenario can you only use active/standby?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Active/Active with single ISP?

Hi Jason,

Unfortunately Active/Active requires multi-contexts. Additionally, the same context cannot be active on both units. (Ctx A will be active on unit 1, but standby on unit 2; Ctx B will be active on unit 2, but standby on unit 1).

Now, *if* you did configure only one context and also A/A, then it would be equivalent to active/standby (as that single context can only be active on a single box at a time).

Therefore, in the case you describe, I cannot see how A/A would work for you.

Sincerely,

David.

Cisco Employee

Re: Active/Active with single ISP?

Yes. In Active/Standby failover, it is the entire chassis that fails over (including whatever SSM module is in the chassis). So the newly active ASA and it's SSM module will be the one processing the traffic.

This is why we have the failover requirement that both boxes must have the exact same hardware (SSM module included).

Sincerely,

David.

PS> If this solves your issue, please don't forget to check the box to let us know.

5 REPLIES
New Member

Re: Active/Active with single ISP?

hi yes u can configure active /active with security context with 1 isp.

it should work.

regards

sebastan

Cisco Employee

Re: Active/Active with single ISP?

Hi Jason,

Unfortunately Active/Active requires multi-contexts. Additionally, the same context cannot be active on both units. (Ctx A will be active on unit 1, but standby on unit 2; Ctx B will be active on unit 2, but standby on unit 1).

Now, *if* you did configure only one context and also A/A, then it would be equivalent to active/standby (as that single context can only be active on a single box at a time).

Therefore, in the case you describe, I cannot see how A/A would work for you.

Sincerely,

David.

New Member

Re: Active/Active with single ISP?

Thanks David, that sounds logical. I'll go for active/standby.

I haven't seen it mentioned in the manuals so far and you might also know this one :) - if both ASAs have an intrusion prevention module and a failover occurs, does the second box IPS module take over the functions of the first as well?

Cisco Employee

Re: Active/Active with single ISP?

Yes. In Active/Standby failover, it is the entire chassis that fails over (including whatever SSM module is in the chassis). So the newly active ASA and it's SSM module will be the one processing the traffic.

This is why we have the failover requirement that both boxes must have the exact same hardware (SSM module included).

Sincerely,

David.

PS> If this solves your issue, please don't forget to check the box to let us know.

New Member

Re: Active/Active with single ISP?

Thanks :)

137
Views
10
Helpful
5
Replies
CreatePlease to create content