Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA CX / PRSM Active/Active Failover?

Hi everyone.


I've spent my last 2 days trying to find something on this matter, but I can't find anything conclusive about it.

I'm trying to find if a 2 ASAs+CX in Active/Active configuration is supported and how to do it.


On one side, on the PRSM configuration guide for 9.2, it says "Active-Standby is the only supported high availability configuration", but I don't understand if it's just for adding devices to PRSM or that an Active/Active configuration is not supported by the CX module.

On the other hand, this forum discussion says that they are using Active/Active with CX.


So, I need to know if it will work. I know that if I use Active/Active I should use contexts, which some are Active on one ASA and others are active on the other one.  I would assume that the CX module configuration should be the same for both ASAs as to support all the networks policies, but I want to know if this will work (I don't want to tell the customer that it'll work and then be stuck with an unsupported and non-working configuration).


Any advice on this? Guides maybe?


Thanks in advance.

Everyone's tags (1)
Hall of Fame Super Silver

Yes, it can be done. Off-box

Yes, it can be done. Off-box PRSM manages an ASA context like a "separate" ASA. That's when it's managing the ASA configuration itself - distinct from managing the CX module features.

Note however that there is an unresolved bug with CX modules and HA ASA pairs:

The other thing to remember - as you had alluded to - is that the CX configuration is a common one despite there being multiple contexts (with potentially differing security policies with respect to the web filtering and IPS functions they want from the CX) on the box.

CreatePlease to create content