How to configure Active\Active Cisco ASAs

We are looking to add a level of redundancy to our front end internet connection / VPN concentrator.

Our current front end firewall is an ASA 5510. Trouble is of course when we take it down for maintenance or any outage occurs we go hard down for an extended period. We have a second ASA 5510 here in the lab basically sitting idle.

What I would like to do is stack the pair and run them as active / active firewalls. (I've never been fond of active/passive and having equipment sitting there doing nothing)

My thought was to install both and load balance VPN tunnels across them.

ie tunnel A goes to ASA A, tunnel B goes to ASA B and then program them to fail over to each other.
Likewise use ASA A to host our website and use ASA B to manage the in house internet traffic and again fail over to each other.

We already have OSPF in place to handle the routing updates.

Has anyone done anything similar in house?

Any best practices? warnings? better ideas?
Who is Participating?
John MeggersConnect With a Mentor Network ArchitectCommented:
Basically, what you're describing is how active/active works on the ASA.  You run two contexts on each ASA and one ASA is active for one context, but passive for the other.  I don't know of any way to spoof that architecture.

As for your VPN question, the ASA won't let you terminate VPNs in multi-context mode, so you could try two separate VPN tunnels, one to each ASA.  But I suspect that would only help you if you can figure out a way to use both ASAs on the same set of LANs and not run into state problems.

Bottom line, I don't see a way of accomplishing what you're suggesting.
John MeggersNetwork ArchitectCommented:
Active / active requires multi-context mode, which cannot terminate VPNs.  You would have to pass encrypted traffic through and terminate the VPNs on another device on the inside.

I know this isn't really an opinion forum but regarding your comment about active / standby, I've always been fine with that. I understand the argument that, as you put it, you have equipment sitting there doing nothing, but active / standby is a much easier configuration, and every customer I've ever talked to has always said that in a failure scenario, they still wanted the same level of service as before the failure.  Which, to me, means you have to size the firewalls so if only a single one is available it can still handle the full throughput load.  The only benefit I see with active / active is increased throughput, but only if you're also willing to accept somewhat reduced service in a failure situation.  My personal opinion is active / active was a checkbox Cisco needed to be able to figure out a way to do because Juniper was already able to and without that capability they were losing deals.  My $.02....
PerimeterITAuthor Commented:
I've always been of the opinion that the two words network admins don't want to hear in the same sentence is "Load Balance" because it never works quite right...

In our companies case our C levels are pushing us to build DR into our infrastructure. But of course $ is always a problem. By building active/active its easier to push it across the line as you can show that you get improved performance out of the equipment rather than it just sitting there.

My take on it is instead of using both ASAs for each service, why not spoof active/active by splitting active/passive roles across both devices?

So ASA A becomes the default gateway for users and ASA B becomes the termination point for our websites. Both devices have different external IPs. Then use OSPF to fail over the routes between the devices.

As for the VPNs, has anyone gotten multi-homing to work on the ASA platform?

What I mean is if I set half our VPNs to terminate of ASA A and the other half on ASA B.

Is there a way I could program the routing so that would it fail over some or all of the tunnels to the other ASA in case of failure?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.