How to configure Active\Active Cisco ASAs

Posted on 2011-09-28
Last Modified: 2012-06-27
We are looking to add a level of redundancy to our front end internet connection / VPN concentrator.

Our current front end firewall is an ASA 5510. Trouble is of course when we take it down for maintenance or any outage occurs we go hard down for an extended period. We have a second ASA 5510 here in the lab basically sitting idle.

What I would like to do is stack the pair and run them as active / active firewalls. (I've never been fond of active/passive and having equipment sitting there doing nothing)

My thought was to install both and load balance VPN tunnels across them.

ie tunnel A goes to ASA A, tunnel B goes to ASA B and then program them to fail over to each other.
Likewise use ASA A to host our website and use ASA B to manage the in house internet traffic and again fail over to each other.

We already have OSPF in place to handle the routing updates.

Has anyone done anything similar in house?

Any best practices? warnings? better ideas?
Question by:PerimeterIT
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 18

Expert Comment

ID: 36719674
Active / active requires multi-context mode, which cannot terminate VPNs.  You would have to pass encrypted traffic through and terminate the VPNs on another device on the inside.

I know this isn't really an opinion forum but regarding your comment about active / standby, I've always been fine with that. I understand the argument that, as you put it, you have equipment sitting there doing nothing, but active / standby is a much easier configuration, and every customer I've ever talked to has always said that in a failure scenario, they still wanted the same level of service as before the failure.  Which, to me, means you have to size the firewalls so if only a single one is available it can still handle the full throughput load.  The only benefit I see with active / active is increased throughput, but only if you're also willing to accept somewhat reduced service in a failure situation.  My personal opinion is active / active was a checkbox Cisco needed to be able to figure out a way to do because Juniper was already able to and without that capability they were losing deals.  My $.02....

Author Comment

ID: 36719932
I've always been of the opinion that the two words network admins don't want to hear in the same sentence is "Load Balance" because it never works quite right...

In our companies case our C levels are pushing us to build DR into our infrastructure. But of course $ is always a problem. By building active/active its easier to push it across the line as you can show that you get improved performance out of the equipment rather than it just sitting there.

My take on it is instead of using both ASAs for each service, why not spoof active/active by splitting active/passive roles across both devices?

So ASA A becomes the default gateway for users and ASA B becomes the termination point for our websites. Both devices have different external IPs. Then use OSPF to fail over the routes between the devices.

As for the VPNs, has anyone gotten multi-homing to work on the ASA platform?

What I mean is if I set half our VPNs to terminate of ASA A and the other half on ASA B.

Is there a way I could program the routing so that would it fail over some or all of the tunnels to the other ASA in case of failure?
LVL 18

Accepted Solution

jmeggers earned 500 total points
ID: 36938244
Basically, what you're describing is how active/active works on the ASA.  You run two contexts on each ASA and one ASA is active for one context, but passive for the other.  I don't know of any way to spoof that architecture.

As for your VPN question, the ASA won't let you terminate VPNs in multi-context mode, so you could try two separate VPN tunnels, one to each ASA.  But I suspect that would only help you if you can figure out a way to use both ASAs on the same set of LANs and not run into state problems.

Bottom line, I don't see a way of accomplishing what you're suggesting.

Featured Post

Enroll in June's Course of the Month

June's Course of the Month is now available! Every 10 seconds, a consumer gets hit with ransomware. Refresh your knowledge of ransomware best practices by enrolling in this month's complimentary course for Premium Members, Team Accounts, and Qualified Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question