I'm not sure what you mean.

ksherwood · ‎11-05-2014

Hi,

for HA I want to connect 4 ASA's in active/active failover with each ASA having two contexts.

The reason I need this is to separate two domains. Each domain has the ASA pair in active/active failover.

Is this possible and what would you need to do it ie a switch or two in between ?

I know you need switches or vlans to do the LAN side as the failover context needs to be in the same network. So I'm assuming you would need to do something similar between the 4 ASA's ???

Would you put 2 switches trunked together carrying two vlans, one for each context ?

-| CTX1 |- ? -| CTX1 |-

-| CTX2 |- ? -| CTX2 |-

| | | |

-| CTX1 |- ? -| CTX1 |-

-| CTX2 |- ? -| CTX2 |-

Thanks in advance.

Marvin Rhoads · ‎11-08-2014

Your diagram shows CTX1 and CTX2 on both pairs. Is that what you want?

Why wouldn't you have a single pair of ASAs with four contexts each? That would be closer to the secure multitenant data center reference architecture.

ksherwood · ‎11-08-2014

Hi Marvin,

yes, that would be much easier, but both pairs of ASA's are owned by separate parties who each want to control their firewalls and filtering, hence my comment about two different domains.

One of us (domains) might have to give way as this design is turning out to be quite a challenge.

Any ideas ?

Marvin Rhoads · ‎11-08-2014

Well quite frankly if I were the CIO of these warring parties I'd exercise some adult supervision and tell them to play nicely.

That aside, if you really really need to do this the you would just connect the failover ports between each pair back-to-back.

Put a pair of switches (or a stack) between the two pairs of ASAs for redundancy's sake. Each context has an interface dedicated facing the other domain's ASAs across that switch fabric.

ksherwood · ‎11-09-2014

Do you mind drawing it up for me. I'm cautious that it's no good putting the same contexts onto the same switch as this would negate any failover possibility if that switch went down.

I've attached what I thought might work to cover any redundancies. Would this work ?

Marvin Rhoads · ‎11-09-2014

Your latest attachment is pretty close to what I was thinking.

I would add a second interface on each ASA to the switches.

So (considering the "Inside" interfaces of ASA1 for example) it would have one physical interface allocated to context 1 and connected to a port in VLAN2 and a second physical interface allocated to context 2 and connected to a port in VLAN 3.

An alternative would be to stick with a single physical interface and allocate subinterfaces (on a trunk) to each context.

You could further add redundancy by creating Etherchannels (with either the physical or logical interface approach).

ksherwood · ‎11-09-2014

Isn't that what i have done ?

Marvin Rhoads · ‎11-09-2014

Your drawing only showed an inside interface from the left hand ASAs going to V2 for ASA1 and V3 for ASA2.

I was suggesting both ASA1 and 2 should have connections to both V2 and V3 to account for the failover scenario. Likewise for ASA3 and ASA4.

Ravi · ‎11-10-2014

Hi Marvin,

Would you be able to assist me on this question:

https://supportforums.cisco.com/discussion/12316661/asa-5505-lan-no-internet-tcp-teardown-deny-connection-logs#comment-10062986

I desperately need help to get it sorted. Would really appreciate help

Thank you

ksherwood · ‎11-14-2014

I'm not sure what you mean. The facing ASA's are all on the outside. I'm also thinking the Trunk is not necessary.

Just to clarify, ASA1 would be active for context 1 and standby for context 2.

ASA2 would be active for context 2 and standby for context 1.

That's why the failover interfaces cross to continue the path. Does this sound right ?

ASA active/active failover back to back