Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
259
Views
0
Helpful
2
Replies

Individual Admin Contexts on Active/Active pair...

mprescher
Level 1
Level 1

‎03-10-2009 09:29 AM - edited ‎03-11-2019 08:02 AM

Quick question:

Customer is building a management network within the overall data network.

Customer has a pair of ASA's doing Active/Active multi-context with IPS modules. These ASA's are located in two different data centers served by two different service providers.

Customer wants to establish a third new device management Admin context to exist in their L3 device mgmt VRF, but exist along side the existing production data contexts.

Question: in this above configuration, is there any requirement for Admin contexts to be configured in a failover arrangement on the pair of ASA's doing Active/Active for the other contexts, such that they require the same L2 connectivity between the firewalls for a given context?

Or, can the Admin context(s) on each firewall exist independently using unique IP addresses...

(This approach would require no additional L2 span between the data centers where each physical ASA is located, and would allow each firewall to be individually accessed through it's won unique IP address, i.e. the FW's, from an admin perspective, would exist on two different VLANs)?

Labels:
0 Helpful
2 Replies 2

vikram_anumukonda
Level 3
Level 3

‎03-10-2009 11:32 PM

"The admin context is always assigned to failover group 1"

so, you cannot have admin contexts exist independently ( one will be active and the other standby )

HTH

Vikram

0 Helpful

mprescher
Level 1
Level 1
In response to vikram_anumukonda

‎03-11-2009 09:28 AM

Thanks - that is how I interpreted this line as well. Any admin context (and you only get one per firewall, would appear in the same failover group, so, 1) they would be failover partners of one another and 2) the ASA would view Any L3 addressing for the context as being required to be within the same VLAN.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card