98 Days to CCIE SEC v6.1 Lab
Cisco ASA Active/Active
ASA Active/Active High Availability, we must look at the three pillars that make it function: Virtualization (Contexts), Asymmetric Load Sharing, and the Failover Group Logic.
This architecture is primarily used in high-throughput data centers where you want to utilize the full throughput of two physical appliances simultaneously.
1. The Concept of Security Contexts
The “Active/Active” magic is only possible through Multiple Context Mode. Think of this like a hypervisor (the “System” space) running multiple Virtual Machines (the “Contexts”).
- The System Space: This is the physical management layer. It handles hardware settings, licensing, and the failover links. It does not pass data traffic itself.
- The Contexts: Each context is a completely independent firewall. They have their own routing tables, ARP tables, and security policies.
- The Benefit: Because they are independent, you can tell the hardware to run Context A on CPU 1 (ASA-1) and Context B on CPU 2 (ASA-2).
2. Failover Groups (The Traffic Director)
In Active/Standby, the “unit” is the failover entity. In Active/Active, the Failover Group is the entity that moves.
- Group 1: Typically contains the first set of contexts. You configure it to prefer the Primary ASA.
- Group 2: Contains the second set of contexts. You configure it to prefer the Secondary ASA.
- Dual-Active State: Under normal conditions, ASA-1 is “Active” for Group 1 and “Standby” for Group 2. ASA-2 is the inverse. This means both units are processing traffic at the same time.
3. Asymmetric Routing & The MAC Address Problem
In an Active/Active setup, it is possible for a packet to enter ASA-1 (active for Context A) but the return packet to hit ASA-2.
- Virtual MACs: Because each context exists on both physical units, the ASA assigns a Virtual MAC address to each interface. This ensures that when a context fails over from ASA-1 to ASA-2, the MAC address moves with it. The surrounding switches don’t see a hardware change, preventing the need for an ARP clear.
- Shared Interfaces: Multiple contexts can share the same physical interface using VLAN sub-interfaces. The ASA uses the Virtual MAC to determine which context should process an incoming packet.
4. Performance vs. Resilience
- Throughput: Theoretically doubles your capacity. If you have two 10Gbps firewalls, an Active/Active setup gives you 20Gbps of total throughput across your contexts.
- Failure Scenario: If ASA-1 fails, ASA-2 takes over Group 1. ASA-2 is now running all contexts. If your total traffic was 15Gbps, the remaining 10Gbps ASA will now be saturated and start dropping packets.
- Strategic Tip: Always design your Active/Active traffic load so that one unit can handle the combined total during an emergency.
The Requirements
- Hardware: Two identical ASA appliances (e.g., ASA 5516-X or Firepower running ASA 9.x+).
- License: A Security Plus or Context License is required to enable Multiple Context Mode.
- Mode: The ASA must be switched from
singletomultiplemode. Warning: This will wipe your current configuration and require a reboot.
Step-by-Step Implementation Guide
1: Prepare the Hardware
Run these commands on both units to enable virtualization.
conf t
mode multiple
# The ASA will prompt to reboot.2: Configure Failover on the Primary Unit
Once rebooted, you will be in the System Execution Space. Configure the failover links here.
failover lan unit primary
failover lan interface LAN Ether5
failover link STATE Eth6
failover interface ip LAN 10.10.30.1 255.255.255.0 standby 10.10.30.2
failover interface ip STATE 10.10.40.1 255.255.255.0 standby 10.10.40.2
!
faiover
!
3: Define Failover Groups
This is the "secret sauce" of Active/Active. We create two groups to tell the ASAs which contexts should be active where.
failover group 1
primary
preempt 30 # Group 1 prefers the Primary ASA
failover group 2
secondary
preempt 30 # Group 2 prefers the Secondary ASA4: Create the Contexts
Now, define your virtual firewalls and assign them to the groups created above.
context sales
config-url disk0:/sales.cfg
join-failover-group 1
allocate-interface Ethernet1 inside_sales
allocate-interface Ethernet4 outside_sales
context Engineering
config-url disk0:/engineering.cfg
join-failover-group 2
allocate-interface Ethernet2 inside_engineering
allocate-interface Ethernet5 outside_engineering5: Initialize the Secondary Unit
On the physical standby unit, you only need to define the failover role and link.
failover lan unit primary
failover lan interface LAN Ether5
failover link STATE Eth6
failover interface ip LAN 10.10.30.1 255.255.255.0 standby 10.10.30.2
failover interface ip STATE 10.10.40.1 255.255.255.0 standby 10.10.40.2
!
failover
!
6: Configuration within the Contexts
To configure the actual firewall rules, you must enter the context:
changeto context Sales
interface inside_sales
nameif inside
ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2
no shu
!
interface outside_sales
nameif outside
ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2
no shu
!
changeto context engineering
!
interface inside_engineering
nameif inside
ip address 192.168.20.1 255.255.255.0 standby 192.168.20.2
no shu
!
interface outside_engineering
nameif outside
ip address 10.10.20.1 255.255.255.0 standby 10.10.20.2
no shu
!Monitoring & Verification
The most effective way to monitor an Active/Active cluster is via the CLI to see the distribution of roles:
show failover: Displays which group is active on which unit. You should see Group 1: Active and Group 2: Standby on ASA-1.show context: Lists all virtual firewalls and their operational status.failover active group 2: Use this on ASA-1 to manually force a group to move for maintenance.
Cisco still does not support Remote Access VPN (AnyConnect) or Site-to-Site VPN in Multiple Context Mode. If you need VPN, you must stay in Single Context Active/Standby.
Happy Labinggggggggggggggggggggggggggggg !