ASA multi-context failover (Active/Active)

 

The admin context is just like any other context, except that when a user logs in to the admin context, then that user has system administrator rights and can access the system and all other contexts. The admin context is not restricted in any way, and can be used as a regular context. However, because logging into the admin context grants you administrator privileges over all contexts, you might need to restrict access to the admin context to appropriate users.

Each packet that enters the ASA must be classified, so that the ASA can determine to which context to send a packet.

Unique Interfaces

If only one context is associated with the ingress interface, the ASA classifies the packet into that context.

Unique MAC Addresses

If multiple contexts share an interface, then the classifier uses unique MAC addresses assigned to the interface in each context. An upstream router cannot route directly to a context without unique MAC addresses. You can enable auto-generation of MAC addresses. You can also set the MAC addresses manually when you configure each interface.

NAT Configuration

If you do not enable use of unique MAC addresses, then the ASA uses the mapped addresses in your NAT configuration to classify packets. We recommend using MAC addresses instead of NAT, so that traffic classification can occur regardless of the completeness of the NAT configuration.

Packet Classification with a Shared Interface Using MAC Addresses

https://www.cisco.com/c/en/us/td/docs/security/asa/asa919/configuration/general/asa-919-general-config/ha-contexts.html

========================================

Configuration Example

1. Change both ASA to multi-context mode

ciscoasa(config)# mode multiple 

2. Configure failover 

2.1 on the primary unit

failover lan unit primary
failover lan interface FO Ethernet2
failover link FO Ethernet2
failover interface ip FO 172.16.1.1 255.255.255.0 standby 172.16.1.2

2.2 On the secondary unit:

failover lan unit secondary

failover lan interface FO Ethernet2

failover link FO Ethernet2

failover interface ip FO 172.16.1.1 255.255.255.0 standby 172.16.1.2

3. Configure failover group on the primary unit

Specify group 1 active one primary unit and group2 active on secondary unit, specify active delay to 1 minute.

failover group 1

  primary

  preempt 60

failover group 2

  secondary

  preempt 60

4. enabled failover on both units

ciscoasa(config)#failover

from now on, failover is up, configuration continue on the active ASA:

5. create resource class:

class gold

  limit-resource VPN Other 3

  limit-resource ASDM 5

  limit-resource SSH 5

  limit-resource Telnet 5

  limit-resource Mac-addresses 10000

6. Configure port channel and sub interfaces will be used for inside interfaces

  interface Ethernet1

 channel-group 1 mode on

interface Ethernet3

 channel-group 1 mode on

interface Port-channel1.100

 vlan 100

!

interface Port-channel1.200

 vlan 200

7. E0 will be used as shared outside interface for all contexts

8.Create contexts:

context admin

  config-url disk0:/admin.cfg

!

context c1

  member gold

  allocate-interface Ethernet0

  allocate-interface Port-channel1.100

  config-url disk0:/c1.cfg

  join-failover-group 1

!

context c2

  member gold

  allocate-interface Ethernet0

  allocate-interface Port-channel1.200

  config-url disk0:/c2.cfg

  join-failover-group 2

!

9. Configure context c1

interface Ethernet0

 nameif outside

 security-level 0

 ip address 192.168.2.120 255.255.255.0 standby 192.168.2.121

!

interface Port-channel1.100

 nameif inside

 security-level 100

 ip address 10.0.100.1 255.255.255.0 standby 10.0.100.2

10. Configure context c2:

interface Ethernet0

 nameif outside

 security-level 0

 ip address 192.168.2.122 255.255.255.0 standby 192.168.2.123

!

interface Port-channel1.200

 nameif inside

 security-level 100

 ip address 10.0.200.1 255.255.255.0 standby 10.0.200.2