Network technologies and trends

Sep 30 2016   11:23AM GMT

Cisco ASA FirePOWER Services and  High Availability – Series 3

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Cisco Firewall
Dynamic Routing

The Cisco ASA Firewall with FirePOWER services can be deployed in Active/ Active failover, in this mode the ASAs must operate in multiple context mode.  Cisco is relying on failover groups for active Active/Active failover mode. A failover group comprises of logical groups, of one or more security context. In Active/Active failover mode , both units of  Cisco ASA Firewall with FirePOWER services can pass the network traffic, however the traffic load is split between members of the failover pair in such a way that each unit will be active for some set of security contexts.

Figure 1.1 - Cisco ASA Active-Active

The Cisco ASA Firewall with FirePOWER services can support up to three fail over groups in Active/Active failover mode.

  • Group 0
    • This is a hidden group which cannot be modified and it hold system context as its member. Group 0  have huge dependency on Group 1 as Group 0 remains active on the ASA unit where the group 1 is active .
  • Group 1
    • The admin context is always the part of this group and any newly created context are added to this group by default.  By default the primary ASA Firewall with FirePOWER services unit always own the Group 1.
  • Group 2
    • Some of the newly created contexts can be added to be the part of group 2 so that they are active on the secondary unit of the ASA Firewall with FirePOWER services. By default Group 2 is also active on the primary ASA Firewall with FirePOWER services unit, one need to change ownership of Group 2 from the primary ASA Firewall with FirePOWER services unit to the Secondary ASA Firewall with FirePOWER services unit manually

Figure 1.2 - Cisco ASA Active-Active

In Active/ Active failover deployment with multi context mode

  • Physical interfaces of the ASA Firewall with FirePOWER services cannot be shared between contexts belong to different failover groups.
  • All the features of ASA Firewall with FirePOWER services are not supported
  • When failover occurs, a single physical ASA unit must carry all the traffic load which was shared by two ASA units.
  • When ASA FirePOWER module fails, it can be configured to do either of the following
    • Fail Open
      • In fail open state all the traffic will pass thought the ASA even when the ASA FirePOWER module fails
    • Fail Close
      • In this state all traffic passing though the ASA will stop.

The Active/ Active failover deployment is quite useful following scenarios

  • Multi-tenancy environment
  • Multiple LAN subnets which needs a logical separation though different firewalls.

However looking at the limitations of Active/ Active failover deployment model one can consider clustering of Cisco ASA with FirePOWER modules as they provide much better HA solutions for load sharing scenarios.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: