Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
401
Views
5
Helpful
4
Replies

Managing Active-Standby ASAs or PIXs in Cisco Security Manager

rcullum
Level 1
Level 1

‎08-31-2006 07:12 AM - edited ‎02-21-2020 01:08 AM

Anybody have any good tips on managing a pair of PIXs or ASAs in Active/Standby or Active/Active mode with contexts with CSM? The documentation tells you how to add contexts etc, but not how CSM handles existing Contexts on import. Does CSM manage all contexts via the admin context or does it need a routable connection to each context?

0 Helpful
4 Replies 4

sbilgi
Level 5
Level 5

‎09-06-2006 07:23 AM

What is the version of software you are using in the devices ?.

0 Helpful

rcullum
Level 1
Level 1
In response to sbilgi

‎09-07-2006 04:24 AM

I am using v7.2(1). One example scenerio. In CSM, you can import an ASA with multiple contexts by its admin context management address. However, if this ASA is part of an Active/Active setup, how does CSM manage the Contexts that are in Standby on this ASA?

0 Helpful

elenten
Level 4
Level 4
In response to rcullum

‎09-08-2006 06:56 AM

Hi,

With CSM 3.x you have two ways of managing virtual contexts. You can either go via the admin context or you can go directly via SSL to the IP of the context. The way to decide this is to go to the device properties of a virtual FW and decide to fill in an ip address or not for the virtual FW..(there is an option for management IP address for that device).

Cisco recommends for virtual FW that are in failover mode to always connect to the IP address of the virtual FW directly (so not via the admin context). The reason for this is that CSM is not capable of checking (when the connection goes via the admin context) if that virtual FW is currently the active or the standby one. If the connection goes directly into the virtual FW, in case of a failover the standby context will take over the MAC and IP address and from a CSM perspective nothing is different..(we still connect to the same IP address).

To go into more details: with virtual FW's on Cisco FWSM and ASA's/Pix's we put every virtual FW in a failover group. When one virtual FW in that specific failover group is failing every other context in that failover group will also failover. The admin context if by default in failovergroup 1. So for every other context in failover group 1 there will never be a problem since if you go via the admin context CSM will hop from that one to another virtual FW and that one will also be active because the admin context is active. So to be more precise for every virtual FW in failover group 2..you HAVE TO setup connectivity directly to the IP of the virtual FW.

Hope this helps.

Erik Lenten

Technical Marketing Engineer

Security Management

elenten@cisco.com

rcullum
Level 1
Level 1
In response to elenten

‎09-11-2006 01:19 AM

Thanks, that was really useful information.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card