In this blog, we'll dive into how Active/Active failover works post-9.7, compare it to older methods, and guide you through configuring it in today's environments. We'll also highlight the differences between the old and new processes, and why the modern approach is superior.
---
## What is Active/Active Failover?
Active/Active failover refers to a high availability (HA) setup where both ASA devices in a failover pair actively process traffic. This allows for load distribution, improved efficiency, and better resource utilization. Unlike Active/Standby, where one device sits idle waiting to take over in case of a failure, Active/Active setups allow both devices to operate and share the traffic load.
The use of *security contexts* (or virtual firewalls) is critical in enabling Active/Active failover. Each context is treated as a separate instance with its own configuration and policies, allowing traffic to be processed by one context on one device and another context on the secondary device.
---
## Active/Active Failover: Pre and Post-ASA 9.7
In pre-ASA 9.7 implementations, Active/Active failover relied on multiple contexts for each device to process traffic simultaneously. This required:
- **Context 1** active on ASA1 and standby on ASA2.
- **Context 2** active on ASA2 and standby on ASA1.
This meant you needed to manually configure contexts to distribute traffic across both devices, which could get cumbersome. With the introduction of version 9.7, Cisco made significant improvements in how contexts and interfaces are handled, making the process more straightforward and reducing configuration complexity.
Key changes in ASA post-9.7:
- **Enhanced Failover Logic:** Failover decisions are more efficient and responsive, minimizing traffic disruption.
- **Simplified Context Creation:** Context creation and management have been streamlined, reducing manual configuration steps.
- **Improved Interface Management:** Interfaces can now be managed more flexibly, and configuration syncing between appliances has been optimized.
---
## Benefits of Active/Active Post-ASA 9.7
### 1. **Optimized Traffic Distribution**
Post-9.7, Cisco ASA enhances the way traffic is distributed between the two appliances. Failover pairs in an Active/Active configuration now process traffic more evenly, with less need for manual distribution across contexts.
### 2. **Improved Configuration Syncing**
Older versions required more manual work to synchronize configurations across contexts and devices. With 9.7, syncing of configuration data between appliances is faster and more reliable, ensuring seamless failover and reduced administrative overhead.
### 3. **Enhanced Scalability**
ASA 9.7 and newer versions improve upon scalability features, enabling organizations to more easily add security contexts or interfaces, supporting more complex networks without significant reconfiguration.
---
## Step-by-Step: Setting Up Active/Active Failover in ASA Post-9.7
Here is a simplified process for configuring Active/Active failover in a post-9.7 Cisco ASA environment:
### Step 1: Convert to Multiple Context Mode
The first step is to convert your ASA to support multiple contexts. This allows the firewall to handle multiple virtual firewalls, which is crucial for Active/Active failover.
ciscoasa(config)# mode multiple
The device will then reboot to apply the change.
### Step 2: Create Security Contexts
After the device reboots, you’ll need to create security contexts. Each context operates independently and can have its own unique configuration. Contexts must be created for each instance that will handle active traffic.
ciscoasa(config)# context CTX1
ciscoasa(config-ctx)# config-url disk0:/CTX1.cfg
ciscoasa(config)# context CTX2
ciscoasa(config-ctx)# config-url disk0:/CTX2.cfg
### Step 3: Assign Interfaces to Contexts
Once the contexts are created, you need to allocate the physical interfaces to these contexts. The interfaces will be used to process traffic in each context.
ciscoasa(config)# allocate-interface GigabitEthernet0/0 CTX1
ciscoasa(config)# allocate-interface GigabitEthernet0/1 CTX2
You must ensure that the correct interfaces are assigned to each context so that traffic can be routed appropriately.
### Step 4: Configure the Failover Pair
To configure Active/Active failover, both ASAs must be configured as a failover pair. First, enable failover on both devices and assign roles (primary/secondary).
On the primary ASA:
ciscoasa(config)# failover
ciscoasa(config)# failover lan unit primary
ciscoasa(config)# failover lan interface FAIL-LINK GigabitEthernet0/2
ciscoasa(config)# failover link FAIL-LINK GigabitEthernet0/3
ciscoasa(config)# failover interface ip FAIL-LINK 192.168.10.1 255.255.255.252 standby 192.168.10.2
On the secondary ASA:
ciscoasa(config)# failover
ciscoasa(config)# failover lan unit secondary
ciscoasa(config)# failover lan interface FAIL-LINK GigabitEthernet0/2
ciscoasa(config)# failover link FAIL-LINK GigabitEthernet0/3
ciscoasa(config)# failover interface ip FAIL-LINK 192.168.10.2 255.255.255.252 standby 192.168.10.1
### Step 5: Configure Interface IP Addresses for Contexts
For each context, configure the IP addresses for the active and standby roles. Here’s an example for `CTX1`:
ciscoasa/admin(config)# context CTX1
ciscoasa/CTX1(config)# interface GigabitEthernet0/0
ciscoasa/CTX1(config-if)# ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
Repeat the process for all interfaces and contexts.
### Step 6: Verify Failover Status
To ensure that your failover configuration is working correctly, you can verify the status using the following command:
ciscoasa# show failover
This will display the current state of the failover configuration, indicating whether traffic is being processed by both appliances in the Active/Active setup.
---
## Conclusion
The introduction of ASA version 9.7 brought a host of improvements to the way Active/Active failover is configured and managed. By simplifying context management, improving traffic distribution, and optimizing failover processes, Cisco ASA has made high availability more efficient and less complex.
With the steps outlined above, you can easily set up an Active/Active failover pair in a post-9.7 ASA environment, ensuring that your network is resilient, scalable, and ready to handle high traffic loads without interruption. Whether you're upgrading from an older version or setting up a new ASA deployment, leveraging these new features will help you get the most out of your firewall infrastructure.
---
**Key Takeaways:**
- Cisco ASA post-9.7 simplifies Active/Active failover with streamlined context management and interface allocation.
- Configuration syncing and failover logic are improved, reducing downtime and manual configuration.
- The Active/Active model ensures load balancing and better resource utilization across both devices in a failover pair.
