Cisco ASA Active/Active Design: Handling Asymmetric Routing Efficiently

Active/Active Failover and Asymmetric Routing in Cisco ASA Post-9.7

Modern enterprise networks demand high availability, performance, and scalability. One architecture increasingly used to achieve these goals is the Active/Active firewall design.

However, Active/Active designs introduce challenges — the most important being asymmetric routing.

This guide explains:

• What asymmetric routing is
• Why it causes issues in stateful firewalls
• How Cisco ASA historically handled the problem
• Major improvements introduced after ASA version 9.7
• Best practices for modern firewall deployments

---

Table of Contents

• Understanding Asymmetric Routing
• Why Asymmetric Routing Breaks Stateful Firewalls
• Traditional ASA Solution: ASR Groups
• ASA Enhancements After Version 9.7
• Enhanced Session Management
• Context-Aware Routing
• Improved BGP Handling
• Simplified Configuration and Management
• Dynamic Load Balancing
• Conclusion
• Related Articles

---

Understanding Asymmetric Routing

Asymmetric routing occurs when traffic between two hosts travels along different paths for the forward and return directions.

Example:

Client → Firewall A → Server

Server → Firewall B → Client

In a traditional network this may not be a problem. However, for stateful firewalls like Cisco ASA, this becomes critical because the firewall must maintain a session table.

💡 Key Concept
Stateful firewalls track every connection. If return traffic reaches a firewall that did not see the original packet, the firewall will drop the packet.

---

Why Asymmetric Routing Causes Problems

In an Active/Active firewall environment:

• Multiple firewalls process traffic simultaneously
• Traffic can enter through one firewall and exit through another
• Session state may not exist on the receiving firewall

When the return packet arrives on the wrong firewall:

%ASA-6-302013: Built inbound TCP connection

%ASA-4-106023: Deny tcp src outside...

The firewall drops the packet because it does not recognize the session.

---

Traditional Solution: ASR Groups (Asynchronous Routing Groups)

Older Cisco ASA deployments solved this issue using ASR Groups.

ASR Groups allowed multiple ASA units to share session state information.

Expand to see how ASR groups work

When a firewall receives a packet without a matching session:

• The firewall checks ASR state synchronization
• If the session exists on another unit
• The packet is redirected to the correct firewall
• The Layer 2 header is rewritten

Example Configuration

Example configuration for enabling ASR groups.

Configuration Code

failover

failover lan unit primary

failover lan interface FO GigabitEthernet0/3

failover link STATE GigabitEthernet0/4

failover group 1

primary

---

Major ASA Enhancements After Version 9.7

Cisco introduced multiple improvements starting with ASA version 9.7.

These enhancements significantly improved asymmetric routing handling and simplified firewall operations.

• Enhanced session management
• Context-aware routing
• Better BGP integration
• Simplified configuration
• Dynamic load balancing

---

1. Enhanced Session Management

Modern ASA versions use improved session synchronization between firewalls.

Instead of relying only on ASR groups:

• Sessions replicate faster
• Synchronization occurs across contexts
• Packet drops are reduced

CLI Verification Example

show conn

show failover

show asp table session

💡 Key Takeaway
Enhanced session replication ensures return packets are recognized even when traffic paths change.

---

2. Context-Aware Routing

Context-aware routing allows the firewall to make routing decisions using more than just routing tables.

ASA now evaluates:

• Application state
• User identity
• Security context
• Session state

CLI Monitoring Example

show route

show conn detail

show service-policy

---

3. Improved BGP Handling

Enterprises often connect to multiple ISPs using BGP.

Earlier ASA versions struggled when return traffic arrived through a different ISP.

Post-9.7 ASA introduces:

• Improved BGP route handling
• Better path awareness
• Stable failover behavior

Example BGP Verification

show bgp summary

show bgp neighbors

show route bgp

---

4. Simplified Configuration and Management

Cisco redesigned several configuration workflows after ASA 9.7.

Key improvements include:

• Simplified NAT configuration
• Improved ACL management
• Better monitoring tools
• Reduced dependency on ASR groups

Useful Monitoring Commands

show failover state

show conn count

show asp drop

---

5. Dynamic Load Balancing

Dynamic load balancing distributes traffic intelligently across firewalls.

Benefits include:

• Higher throughput
• Better firewall utilization
• Reduced packet drops
• Improved redundancy

💡 Key Takeaway
Dynamic traffic distribution helps maintain symmetric traffic flows and improves overall firewall efficiency.

---

Conclusion

Active/Active firewall architectures provide excellent scalability and high availability but introduce routing complexities.

Cisco ASA improvements after version 9.7 significantly improve the handling of asymmetric routing through:

• Advanced session management
• Context-aware routing
• Enhanced BGP handling
• Simplified configuration workflows
• Dynamic load balancing

By leveraging these modern capabilities, network administrators can deploy resilient and scalable firewall architectures while minimizing connectivity disruptions.

---

Related Articles

• Active/Active Failover with Cisco ASA Post-9.7: A Modern Approach to High Availability
• Cisco ASA Key Management Changes After Version 9.7
• Modern Enhancements in Cisco ASA ACL Management and Object Grouping
• Transitioning to Cisco ASA Post-9.7: Modern Firewall Configurations and Best Practices
• Simplified NAT Configuration on Cisco ASA Post-9.7