Active/Active Failover and Asymmetric Routing in Cisco ASA Post-9.7
Modern enterprise networks demand high availability, performance, and scalability. One architecture increasingly used to achieve these goals is the Active/Active firewall design.
However, Active/Active designs introduce challenges — the most important being asymmetric routing.
This guide explains:
- What asymmetric routing is
- Why it causes issues in stateful firewalls
- How Cisco ASA historically handled the problem
- Major improvements introduced after ASA version 9.7
- Best practices for modern firewall deployments
Table of Contents
- Understanding Asymmetric Routing
- Why Asymmetric Routing Breaks Stateful Firewalls
- Traditional ASA Solution: ASR Groups
- ASA Enhancements After Version 9.7
- Enhanced Session Management
- Context-Aware Routing
- Improved BGP Handling
- Simplified Configuration and Management
- Dynamic Load Balancing
- Conclusion
- Related Articles
Understanding Asymmetric Routing
Asymmetric routing occurs when traffic between two hosts travels along different paths for the forward and return directions.
Example:
Client → Firewall A → Server Server → Firewall B → Client
In a traditional network this may not be a problem. However, for stateful firewalls like Cisco ASA, this becomes critical because the firewall must maintain a session table.
Stateful firewalls track every connection. If return traffic reaches a firewall that did not see the original packet, the firewall will drop the packet.
Why Asymmetric Routing Causes Problems
In an Active/Active firewall environment:
- Multiple firewalls process traffic simultaneously
- Traffic can enter through one firewall and exit through another
- Session state may not exist on the receiving firewall
When the return packet arrives on the wrong firewall:
%ASA-6-302013: Built inbound TCP connection %ASA-4-106023: Deny tcp src outside...
The firewall drops the packet because it does not recognize the session.
Traditional Solution: ASR Groups (Asynchronous Routing Groups)
Older Cisco ASA deployments solved this issue using ASR Groups.
ASR Groups allowed multiple ASA units to share session state information.
Expand to see how ASR groups work
When a firewall receives a packet without a matching session:
- The firewall checks ASR state synchronization
- If the session exists on another unit
- The packet is redirected to the correct firewall
- The Layer 2 header is rewritten
Example Configuration
Example configuration for enabling ASR groups.
Configuration Code
failover failover lan unit primary failover lan interface FO GigabitEthernet0/3 failover link STATE GigabitEthernet0/4 failover group 1 primary
Major ASA Enhancements After Version 9.7
Cisco introduced multiple improvements starting with ASA version 9.7.
These enhancements significantly improved asymmetric routing handling and simplified firewall operations.
- Enhanced session management
- Context-aware routing
- Better BGP integration
- Simplified configuration
- Dynamic load balancing
1. Enhanced Session Management
Modern ASA versions use improved session synchronization between firewalls.
Instead of relying only on ASR groups:
- Sessions replicate faster
- Synchronization occurs across contexts
- Packet drops are reduced
CLI Verification Example
show conn show failover show asp table session
Enhanced session replication ensures return packets are recognized even when traffic paths change.
2. Context-Aware Routing
Context-aware routing allows the firewall to make routing decisions using more than just routing tables.
ASA now evaluates:
- Application state
- User identity
- Security context
- Session state
CLI Monitoring Example
show route show conn detail show service-policy
3. Improved BGP Handling
Enterprises often connect to multiple ISPs using BGP.
Earlier ASA versions struggled when return traffic arrived through a different ISP.
Post-9.7 ASA introduces:
- Improved BGP route handling
- Better path awareness
- Stable failover behavior
Example BGP Verification
show bgp summary show bgp neighbors show route bgp
4. Simplified Configuration and Management
Cisco redesigned several configuration workflows after ASA 9.7.
Key improvements include:
- Simplified NAT configuration
- Improved ACL management
- Better monitoring tools
- Reduced dependency on ASR groups
Useful Monitoring Commands
show failover state show conn count show asp drop
5. Dynamic Load Balancing
Dynamic load balancing distributes traffic intelligently across firewalls.
Benefits include:
- Higher throughput
- Better firewall utilization
- Reduced packet drops
- Improved redundancy
Dynamic traffic distribution helps maintain symmetric traffic flows and improves overall firewall efficiency.
Conclusion
Active/Active firewall architectures provide excellent scalability and high availability but introduce routing complexities.
Cisco ASA improvements after version 9.7 significantly improve the handling of asymmetric routing through:
- Advanced session management
- Context-aware routing
- Enhanced BGP handling
- Simplified configuration workflows
- Dynamic load balancing
By leveraging these modern capabilities, network administrators can deploy resilient and scalable firewall architectures while minimizing connectivity disruptions.
Related Articles
- Active/Active Failover with Cisco ASA Post-9.7: A Modern Approach to High Availability
- Cisco ASA Key Management Changes After Version 9.7
- Modern Enhancements in Cisco ASA ACL Management and Object Grouping
- Transitioning to Cisco ASA Post-9.7: Modern Firewall Configurations and Best Practices
- Simplified NAT Configuration on Cisco ASA Post-9.7
