{"id":2737,"date":"2026-01-05T22:00:08","date_gmt":"2026-01-05T22:00:08","guid":{"rendered":"https:\/\/www.balajibandi.com\/?p=2737"},"modified":"2026-01-21T19:27:12","modified_gmt":"2026-01-21T19:27:12","slug":"98-days-to-ccie-sec-v6-1-lab","status":"publish","type":"post","link":"https:\/\/www.balajibandi.com\/?p=2737","title":{"rendered":"98 Days to CCIE SEC v6.1 Lab"},"content":{"rendered":"\n<p><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"><strong>Cisco ASA Active\/Active<\/strong><\/mark><\/p>\n\n\n\n<p><strong>ASA Active\/Active High Availability<\/strong>, we must look at the three pillars that make it function:&nbsp;<strong>Virtualization (Contexts)<\/strong>,&nbsp;<strong>Asymmetric Load Sharing<\/strong>, and the&nbsp;<strong>Failover Group Logic<\/strong>.<\/p>\n\n\n\n<p>This architecture is primarily used in high-throughput data centers where you want to utilize the full throughput of two physical appliances simultaneously.<\/p>\n\n\n\n<p><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"><strong>1. The Concept of Security Contexts<\/strong><\/mark><\/p>\n\n\n\n<p>The &#8220;Active\/Active&#8221; magic is only possible through&nbsp;<strong>Multiple Context Mode<\/strong>. Think of this like a hypervisor (the &#8220;System&#8221; space) running multiple Virtual Machines (the &#8220;Contexts&#8221;).<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>The System Space:<\/strong>&nbsp;This is the physical management layer. It handles hardware settings, licensing, and the failover links. It does not pass data traffic itself.<\/li>\n\n\n\n<li><strong>The Contexts:<\/strong>&nbsp;Each context is a completely independent firewall. They have their own routing tables, ARP tables, and security policies.<\/li>\n\n\n\n<li><strong>The Benefit:<\/strong>&nbsp;Because they are independent, you can tell the hardware to run&nbsp;<strong>Context A on CPU 1 (ASA-1)<\/strong>&nbsp;and&nbsp;<strong>Context B on CPU 2 (ASA-2)<\/strong>.<\/li>\n<\/ul>\n\n\n\n<p><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"><strong>2. Failover Groups (The Traffic Director)<\/strong><\/mark><\/p>\n\n\n\n<p>In Active\/Standby, the &#8220;unit&#8221; is the failover entity. In Active\/Active, the&nbsp;<strong>Failover Group<\/strong>&nbsp;is the entity that moves.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Group 1:<\/strong>&nbsp;Typically contains the first set of contexts. You configure it to prefer the&nbsp;<strong>Primary ASA<\/strong>.<\/li>\n\n\n\n<li><strong>Group 2:<\/strong>&nbsp;Contains the second set of contexts. You configure it to prefer the&nbsp;<strong>Secondary ASA<\/strong>.<\/li>\n\n\n\n<li><strong>Dual-Active State:<\/strong>&nbsp;Under normal conditions, ASA-1 is &#8220;Active&#8221; for Group 1 and &#8220;Standby&#8221; for Group 2. ASA-2 is the inverse. This means&nbsp;<strong>both units are processing traffic at the same time.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"><strong>3. Asymmetric Routing &amp; The MAC Address Problem<\/strong><\/mark><\/p>\n\n\n\n<p>In an Active\/Active setup, it is possible for a packet to enter ASA-1 (active for Context A) but the return packet to hit ASA-2.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Virtual MACs:<\/strong>&nbsp;Because each context exists on both physical units, the ASA assigns a&nbsp;<strong>Virtual MAC address<\/strong>&nbsp;to each interface. This ensures that when a context fails over from ASA-1 to ASA-2, the MAC address moves with it. The surrounding switches don&#8217;t see a hardware change, preventing the need for an ARP clear.<\/li>\n\n\n\n<li><strong>Shared Interfaces:<\/strong>&nbsp;Multiple contexts can share the same physical interface using&nbsp;<strong>VLAN sub-interfaces<\/strong>. The ASA uses the Virtual MAC to determine which context should process an incoming packet.<\/li>\n<\/ul>\n\n\n\n<p><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"><strong>4. Performance vs. Resilience<\/strong><\/mark><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Throughput:<\/strong>&nbsp;Theoretically doubles your capacity. If you have two 10Gbps firewalls, an Active\/Active setup gives you 20Gbps of total throughput across your contexts.<\/li>\n\n\n\n<li><strong>Failure Scenario:<\/strong>&nbsp;If ASA-1 fails, ASA-2 takes over Group 1. ASA-2 is now running&nbsp;<strong>all contexts<\/strong>. If your total traffic was 15Gbps, the remaining 10Gbps ASA will now be saturated and start dropping packets.<\/li>\n\n\n\n<li><strong>Strategic Tip:<\/strong>&nbsp;Always design your Active\/Active traffic load so that&nbsp;<strong>one unit can handle the combined total<\/strong>&nbsp;during an emergency.<\/li>\n<\/ul>\n\n\n\n<p><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">The Requirements&nbsp;<\/mark><\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Hardware:<\/strong>&nbsp;Two identical ASA appliances (e.g., ASA 5516-X or Firepower running ASA 9.x+).<\/li>\n\n\n\n<li><strong>License:<\/strong>&nbsp;A&nbsp;<strong>Security Plus<\/strong>&nbsp;or&nbsp;<strong>Context License<\/strong>&nbsp;is required to enable Multiple Context Mode.<\/li>\n\n\n\n<li><strong>Mode:<\/strong>&nbsp;The ASA must be switched from&nbsp;<code>single<\/code>&nbsp;to&nbsp;<code>multiple<\/code>&nbsp;mode.&nbsp;<strong>Warning:<\/strong>&nbsp;This will wipe your current configuration and require a reboot.<\/li>\n<\/ul>\n\n\n\n<p><strong>Step-by-Step Implementation Guide<\/strong><\/p>\n\n\n\n<p><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">1: Prepare the Hardware<\/mark><\/strong><\/p>\n\n\n\n<p>Run these commands on&nbsp;<strong>both<\/strong>&nbsp;units to enable virtualization.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>conf t\nmode multiple\n# The ASA will prompt to reboot.<\/code><\/pre>\n\n\n\n<p><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">2: Configure Failover on the Primary Unit<\/mark><\/strong><\/p>\n\n\n\n<p>Once rebooted, you will be in the&nbsp;<strong>System Execution Space<\/strong>. Configure the failover links here.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>failover lan unit primary\nfailover lan interface LAN Ether5\nfailover link STATE Eth6\nfailover interface ip LAN 10.10.30.1 255.255.255.0 standby 10.10.30.2\nfailover interface ip STATE 10.10.40.1 255.255.255.0 standby 10.10.40.2\n!\nfaiover\n!\n\n<strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">3: Define Failover Groups<\/mark><\/strong>\n\nThis is the \"secret sauce\" of Active\/Active. We create two groups to tell the ASAs which contexts should be active where.\n\nfailover group 1\n  primary\n  preempt 30  # Group 1 prefers the Primary ASA\nfailover group 2\n  secondary\n  preempt 30  # Group 2 prefers the Secondary ASA<\/code><\/pre>\n\n\n\n<p><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">4: Create the Contexts<\/mark><\/strong><\/p>\n\n\n\n<p>Now, define your virtual firewalls and assign them to the groups created above.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>context sales\n  config-url disk0:\/sales.cfg\n  join-failover-group 1\n  allocate-interface Ethernet1 inside_sales\n  allocate-interface Ethernet4 outside_sales\n\ncontext Engineering\n  config-url disk0:\/engineering.cfg\n  join-failover-group 2\n  allocate-interface Ethernet2 inside_engineering\n  allocate-interface Ethernet5 outside_engineering<\/code><\/pre>\n\n\n\n<p><strong> <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">5: Initialize the Secondary Unit<\/mark><\/strong><\/p>\n\n\n\n<p>On the physical standby unit, you only need to define the failover role and link.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>failover lan unit primary\nfailover lan interface LAN Ether5\nfailover link STATE Eth6\nfailover interface ip LAN 10.10.30.1 255.255.255.0 standby 10.10.30.2\nfailover interface ip STATE 10.10.40.1 255.255.255.0 standby 10.10.40.2\n!\nfailover\n!\n\n<strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">6: Configuration within the Contexts<\/mark><\/strong>\n\nTo configure the actual firewall rules, you must enter the context:\n\nchangeto context Sales\ninterface inside_sales\nnameif inside\nip address 192.168.10.1 255.255.255.0 standby 192.168.10.2\nno shu\n!\ninterface outside_sales\nnameif outside\nip address 10.10.10.1 255.255.255.0 standby  10.10.10.2\nno shu\n!\nchangeto context engineering\n!\ninterface inside_engineering\nnameif inside\nip address 192.168.20.1 255.255.255.0 standby 192.168.20.2\nno shu\n!\ninterface outside_engineering\nnameif outside\nip address 10.10.20.1 255.255.255.0 standby  10.10.20.2\nno shu\n!<\/code><\/pre>\n\n\n\n<p><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Monitoring &amp; Verification<\/mark><\/strong><\/p>\n\n\n\n<p>The most effective way to monitor an Active\/Active cluster is via the CLI to see the distribution of roles:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>show failover<\/code>: Displays which group is active on which unit. You should see&nbsp;<strong>Group 1: Active<\/strong>&nbsp;and&nbsp;<strong>Group 2: Standby<\/strong>&nbsp;on ASA-1.<\/li>\n\n\n\n<li><code>show context<\/code>: Lists all virtual firewalls and their operational status.<\/li>\n\n\n\n<li><code>failover active group 2<\/code>: Use this on ASA-1 to manually force a group to move for maintenance.<\/li>\n<\/ul>\n\n\n\n<p>Cisco still does not support&nbsp;<strong>Remote Access VPN (AnyConnect)<\/strong>&nbsp;or&nbsp;<strong>Site-to-Site VPN<\/strong>&nbsp;in Multiple Context Mode. If you need VPN, you must stay in Single Context Active\/Standby.<\/p>\n\n\n\n<p>Happy Labinggggggggggggggggggggggggggggg !<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cisco ASA Active\/Active ASA Active\/Active High Availability, we must look at the three pillars that make it function:&nbsp;Virtualization (Contexts),&nbsp;Asymmetric Load Sharing, and the&nbsp;Failover Group Logic. This architecture is primarily used in high-throughput data centers where you want to utilize the full throughput of two physical appliances simultaneously. 1. The Concept of Security Contexts The &#8220;Active\/Active&#8221; [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,2],"tags":[],"class_list":["post-2737","post","type-post","status-publish","format-standard","hentry","category-ccie-sec","category-cisco"],"_links":{"self":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/2737","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2737"}],"version-history":[{"count":3,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/2737\/revisions"}],"predecessor-version":[{"id":2785,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/2737\/revisions\/2785"}],"wp:attachment":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2737"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2737"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2737"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}