Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA multiple context pre routing

Hello,

 

I am trying to understand all of my options for routing to two different ASA's in active/active mode, which requires multiple context mode.

 

I have an existing 4500E switch behind a single ASA 5520 right now, and the default gateway that the 4500E advertises to my internal networks is the ip address of the 5520.  I would like to replace the existing 5520 with two 5525-x ASA's and have them setup in active/active mode.

 

Currently I have 12 locations terminated with fiber to the 4500E and from there its default gateway is the existing single ASA that I have.  From what I understand, with the new design I have to make the ASA's into multiple context mode in order to do active/active failover , and load balance between the two ASA's.

 

What I don't want to have to do is put a policy route on each incoming fiber port and policy route traffic based on source IP.  I think this would be a huge waste of resources and complicate the setup on the 4500E.  Is there any other way to accomplish this besides policy routing or a separate switch between the ASA's and the 4500E?

 

Thanks,
Dan.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

I see multiple context most

I see multiple context most often used where I have distinct security policies, often in multi-tenant (or distinct business unit) use of a given firewall. In such a case, Active-Active allows us to spread the load across the units while having redundancy.

Most installations I have seen (actually all - and I've worked with hundreds of ASAs in dozens of enterprises) use bigger firewalls to get more throughput. A few use VPN clustering or round robin DNS for remote access VPN gateways on the ASA platform. The few Active-Active setups I've come across have all had one of the use cases I mentioned just now.

You're right that clustering does have a number of features that don't work in distributed mode.

5 REPLIES
Hall of Fame Super Silver

While you CAN do what you're

While you CAN do what you're describing with an Active-Active multiple context pair, that's not really what those features are designed for.

You would have to, as you surmised, handle the routing downstream using something like PBR (or possibly VRFs). I'd stay away from that solution as it would introduce a fair amount of complexity in your core with little to no added value (in my opinion).

A 5525-X already will have 1.5-2x the performance of your old 5520. The second unit will give you high availability in an HA pair.

If you're feeling adventurous, you can now (as of 9.1(4)) run a 2-member cluster with the 5500-X series below the 5585. That will give you the increased performance (~50% boost in connection/sec, 70% boost in total throughput vs. a single unit) while sticking with a single context. It does have the downside though in the event of a single member failure of throttling you back to the throughput of a single unit.

New Member

What else would you use

What else would you use active/active for?  I'm looking at it from a stand point of being able to scale one ASA 5525 into two ASA 5525 for double the throughput instead of having to buy a 5545.

Hmmm, so I would have to setup a switch cluster between the 4500E and the ASA's.....that would add too much cost...

Clustering is of no use, as AVC / WSE / VPN is not available on the secondary ASA then.  So there would be no point.  Active/active mode at lease allows for use of all of the features.

Hall of Fame Super Silver

I see multiple context most

I see multiple context most often used where I have distinct security policies, often in multi-tenant (or distinct business unit) use of a given firewall. In such a case, Active-Active allows us to spread the load across the units while having redundancy.

Most installations I have seen (actually all - and I've worked with hundreds of ASAs in dozens of enterprises) use bigger firewalls to get more throughput. A few use VPN clustering or round robin DNS for remote access VPN gateways on the ASA platform. The few Active-Active setups I've come across have all had one of the use cases I mentioned just now.

You're right that clustering does have a number of features that don't work in distributed mode.

New Member

Ah, so what you are saying is

Ah, so what you are saying is that I should just buy a single ASA that is large enough for the next three years and then just replace don't scale.

Hall of Fame Super Silver

Well I'm on the post-sales

Well I'm on the post-sales side but the pre-sales guys would most likely advise you that way - that is consistent with the Cisco reference approaches. It is how I've almost always seen it in the production settings I've worked on.

Your decision should take what anyone says as one input in a decision making process that is informed by your requirements and projections in the context of your business environment.

127
Views
0
Helpful
5
Replies
CreatePlease login to create content