98 Days to CCIE SEC v6.1 Lab

January 5, 2026 / Balaji Bandi / 0 Comments

Cisco ASA Active/Active

ASA Active/Active High Availability, we must look at the three pillars that make it function: Virtualization (Contexts)Asymmetric Load Sharing, and the Failover Group Logic.

This architecture is primarily used in high-throughput data centers where you want to utilize the full throughput of two physical appliances simultaneously.

1. The Concept of Security Contexts

The “Active/Active” magic is only possible through Multiple Context Mode. Think of this like a hypervisor (the “System” space) running multiple Virtual Machines (the “Contexts”).

  • The System Space: This is the physical management layer. It handles hardware settings, licensing, and the failover links. It does not pass data traffic itself.
  • The Contexts: Each context is a completely independent firewall. They have their own routing tables, ARP tables, and security policies.
  • The Benefit: Because they are independent, you can tell the hardware to run Context A on CPU 1 (ASA-1) and Context B on CPU 2 (ASA-2).

2. Failover Groups (The Traffic Director)

In Active/Standby, the “unit” is the failover entity. In Active/Active, the Failover Group is the entity that moves.

  • Group 1: Typically contains the first set of contexts. You configure it to prefer the Primary ASA.
  • Group 2: Contains the second set of contexts. You configure it to prefer the Secondary ASA.
  • Dual-Active State: Under normal conditions, ASA-1 is “Active” for Group 1 and “Standby” for Group 2. ASA-2 is the inverse. This means both units are processing traffic at the same time.

3. Asymmetric Routing & The MAC Address Problem

In an Active/Active setup, it is possible for a packet to enter ASA-1 (active for Context A) but the return packet to hit ASA-2.

  • Virtual MACs: Because each context exists on both physical units, the ASA assigns a Virtual MAC address to each interface. This ensures that when a context fails over from ASA-1 to ASA-2, the MAC address moves with it. The surrounding switches don’t see a hardware change, preventing the need for an ARP clear.
  • Shared Interfaces: Multiple contexts can share the same physical interface using VLAN sub-interfaces. The ASA uses the Virtual MAC to determine which context should process an incoming packet.

4. Performance vs. Resilience

  • Throughput: Theoretically doubles your capacity. If you have two 10Gbps firewalls, an Active/Active setup gives you 20Gbps of total throughput across your contexts.
  • Failure Scenario: If ASA-1 fails, ASA-2 takes over Group 1. ASA-2 is now running all contexts. If your total traffic was 15Gbps, the remaining 10Gbps ASA will now be saturated and start dropping packets.
  • Strategic Tip: Always design your Active/Active traffic load so that one unit can handle the combined total during an emergency.

The Requirements 

  • Hardware: Two identical ASA appliances (e.g., ASA 5516-X or Firepower running ASA 9.x+).
  • License: A Security Plus or Context License is required to enable Multiple Context Mode.
  • Mode: The ASA must be switched from single to multiple mode. Warning: This will wipe your current configuration and require a reboot.

Step-by-Step Implementation Guide

1: Prepare the Hardware

Run these commands on both units to enable virtualization.

conf t
mode multiple
# The ASA will prompt to reboot.

2: Configure Failover on the Primary Unit

Once rebooted, you will be in the System Execution Space. Configure the failover links here.

failover lan unit primary
failover lan interface FAIL-OVER GigabitEthernet0/2
failover interface ip FAIL-OVER 192.168.100.1 255.255.255.252 standby 192.168.100.2
failover link FAIL-OVER GigabitEthernet0/2
failover

3: Define Failover Groups

This is the "secret sauce" of Active/Active. We create two groups to tell the ASAs which contexts should be active where.

failover group 1
  primary
  preempt 30  # Group 1 prefers the Primary ASA
failover group 2
  secondary
  preempt 30  # Group 2 prefers the Secondary ASA

4: Create the Contexts

Now, define your virtual firewalls and assign them to the groups created above.

context Sales
  allocate-interface GigabitEthernet0/0
  allocate-interface GigabitEthernet0/1
  config-url disk0:/Sales.cfg
  join-failover-group 1

context Engineering
  allocate-interface GigabitEthernet0/3
  allocate-interface GigabitEthernet0/4
  config-url disk0:/Eng.cfg
  join-failover-group 2

5: Initialize the Secondary Unit

On the physical standby unit, you only need to define the failover role and link.

failover lan unit secondary
failover lan interface FAIL-OVER GigabitEthernet0/2
failover interface ip FAIL-OVER 192.168.100.1 255.255.255.252 standby 192.168.100.2
failover

6: Configuration within the Contexts

To configure the actual firewall rules, you must enter the context:

changeto context Sales
interface GigabitEthernet0/0
 nameif outside
 ip address 192.168.200.1 255.255.255.0 standby 192.168.200.2
interface GigabitEthernet0/1
 nameif inside
 ip address 172.16.100.1 255.255.255.0 standby 172.16.100.1.2

Monitoring & Verification

The most effective way to monitor an Active/Active cluster is via the CLI to see the distribution of roles:

  • show failover: Displays which group is active on which unit. You should see Group 1: Active and Group 2: Standby on ASA-1.
  • show context: Lists all virtual firewalls and their operational status.
  • failover active group 2: Use this on ASA-1 to manually force a group to move for maintenance.

Cisco still does not support Remote Access VPN (AnyConnect) or Site-to-Site VPN in Multiple Context Mode. If you need VPN, you must stay in Single Context Active/Standby.

Happy Labinggggggggggggggggggggggggggggg !