The Cisco ASA supports Active/Active failover mode, which allows both ASAs to pass traffic, allowing load balancing of network traffic.
Active/Active Key Points
- Requires using multiple context mode. Refer to the previous post on ASA Multi Context for more information, in addition the associated configuration is located in the templates section.
- Deployed in pairs, using Active/Standby within multiple contexts, providing 2 logical Active/Standby pairs in two physical ASA. With traffic load balanced by routing to each active unit.
- One ASA unit is designated as Primary with the other unit as Secondary. The Primary unit provides the running configuration to the pair when they boot simultaneously.
- Contexts are assigned to failover groups
- The failover group is assigned to be active on the desired ASA, if not active then other ASA is standby. For example, to load balance, failover-group 1 would be active on the Primary ASA and failover-group 2 active on the Secondary ASA.
- A failover group is configured for pre-emption, to ensure that the failover group runs on the preferred unit after startup.
Topology
The figure below represents the physical ASA Active/Active failover topology.
The figure below represents the logical ASA Active/Active failover topology Two Cisco ASA are configured in multiple-context mode, with two contexts ONE and TWO.
- The ASA’s INSIDE interfaces are configured as sub-interfaces – VLAN 100 and VLAN 200
- The VLAN interfaces (100 and 200) on the local LAN switch are in different VRFs
- Each VRF has a different default route.
Traffic from User1 is routed via the Active context ONE ASA (on the left) and traffic from User2 is routed via the Active context TWO ASA (on the right). As failover is configured, if either Active ASA fails, traffic will failover to the other ASA.
Switch Configuration
The configuration below represents the local LAN switch configuration, with traffic segmented into VRFs to provide routing separation to the different ASA.
vrf definition ONE ! address-family ipv4 exit-address-family ! vrf definition TWO ! address-family ipv4 exit-address-family ! interface Loopback11 vrf forwarding ONE ip address 10.1.1.1 255.255.255.255 ! interface Loopback21 vrf forwarding TWO ip address 10.2.1.1 255.255.255.255 ! interface GigabitEthernet0/0 description LEFT ASA switchport trunk allowed vlan 100,200 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet1/2 description RIGHT ASA switchport trunk allowed vlan 100,200 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate ! interface Vlan100 vrf forwarding ONE ip address 10.1.0.254 255.255.255.0 ! interface Vlan200 vrf forwarding TWO ip address 10.2.0.254 255.255.255.0 ! ip route vrf ONE 0.0.0.0 0.0.0.0 10.1.0.1 ip route vrf TWO 0.0.0.0 0.0.0.0 10.2.0.1
ASA Configuration
Primary ASA
The first command is to configure multiple context mode.
mode multiple
The following configuration is defined in system mode on the primary ASA.
In multiple context mode interfaces can be unique per context or shared. In this example sub-interfaces of the physical interface Ethernet1 will be used on the INSIDE network (connected to different VLANs on the directly connected switch), the OUTSIDE interface (Ethernet1) will be shared across contexts. The CCL interface must be the same on both ASAs (Ethernet2).
interface Ethernet0.100 vlan 100 ! interface Ethernet0.200 vlan 200 ! interface Ethernet2 no shutdown
Failover is configured on the primary unit. The failover group number (1 or 2) is later referenced in the context configuration. Set automatic MAC address generation when using shared interfaces.
mac-address auto ! failover failover lan unit primary failover lan interface FOVER Ethernet2 failover key ***** failover link FOVER Ethernet2 failover interface ip FOVER 192.0.2.1 255.255.255.0 standby 192.0.2.2 failover group 1 preempt failover group 2 secondary preempt
Aside from the default admin context, two new contexts are created ONE and TWO. The unique sub-interfaces to represent the INSIDE interface are allocated (these are different for each context) and the shared interface to represent the OUTSIDE interface is also allocated. The contexts are joined to different failover groups.
admin-context admin context admin config-url disk0:/admin.cfg ! context ONE allocate-interface Ethernet0.100 allocate-interface Ethernet1 config-url disk0:/one.cfg join-failover-group 1 ! context TWO allocate-interface Ethernet0.200 allocate-interface Ethernet1 config-url disk0:/two.cfg join-failover-group 2
Configure context ONE IP addressing and routing.
changeto context ONE ! interface Ethernet0.100 nameif INSIDE security-level 100 ip address 10.1.0.1 255.255.255.0 standby 10.1.0.2 ! interface Ethernet1 nameif OUTSIDE security-level 0 ip address 1.1.1.11 255.255.255.0 standby 1.1.1.12 route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.254 1 route INSIDE 10.1.0.0 255.255.252.0 10.1.0.254 1
Configure context TWO IP addressing and routing.
changeto context TWO interface Ethernet0.200 nameif INSIDE security-level 100 ip address 10.2.0.1 255.255.255.0 standby 10.2.0.2 ! interface Ethernet1 nameif OUTSIDE security-level 0 ip address 1.1.1.21 255.255.255.0 standby 1.1.1.22 ! route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.254 1 route INSIDE 10.2.0.0 255.255.252.0 10.2.0.254 1
The remaining configuration is standard ASA configuration and not represented here.
Secondary ASA
Very little configuration is required on the second ASA, just no shutdown the CCL interface and configure failover, ensure the unit is set to secondary.
interface Ethernet2 no shutdown ! failover failover lan unit secondary failover lan interface FOVER Ethernet2 failover key Cisco1234 failover link FOVER Ethernet2 failover interface ip FOVER 192.0.2.1 255.255.255.0 standby 192.0.2.2
You do not need to specify the failover group commands; these will be synced from the Primary unit.
Verification
From the CLI of the Primary ASA run the command show failover.
ASA-1/act(config)# show failover Failover On Failover unit Primary Failover LAN Interface: FOVER Ethernet2 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 4 of 60 maximum Version: Ours 9.1(5)16, Mate 9.1(5)16 Group 1 last failover at: 15:56:51 UTC Jul 16 2022 Group 2 last failover at: 16:43:32 UTC Jul 16 2022 This host: Primary Group 1 State: Active Active time: 2916 (sec) Group 2 State: Standby Ready Active time: 22 (sec) ONE Interface INSIDE (10.1.0.1): Normal (Monitored) ONE Interface OUTSIDE (1.1.1.11): Normal (Monitored) TWO Interface INSIDE (10.2.0.2): Normal (Monitored) TWO Interface OUTSIDE (1.1.1.22): Normal (Monitored) Other host: Secondary Group 1 State: Standby Ready Active time: 0 (sec) Group 2 State: Active Active time: 117 (sec) ONE Interface INSIDE (10.1.0.2): Normal (Monitored) ONE Interface OUTSIDE (1.1.1.12): Normal (Monitored) TWO Interface INSIDE (10.2.0.1): Normal (Waiting) TWO Interface OUTSIDE (1.1.1.21): Normal (Monitored)
From the output above we can confirm that this host is the Primary. Group 1 state is Active and Group 2 state is Standby Ready. This confirms that the Primary ASA (the ASA on the left of the topology diagram) is actively routing traffic for context ONE and standby for context TWO. The Secondary ASA is the opposite, Standby Ready for context ONE and Active for context TWO.
Referring to the topology diagram above, this means user traffic from VRF ONE on the switch is routed to the Primary ASA and traffic from VRF TWO is routed to the Secondary ASA. As the firewall is configured for High Availability, if one physical ASA fails, then traffic is routed via the other ASA.