As a redundancy measure, it’s possible to deploy multiple Cisco ASAs together in a failover configuration, also known as a High Availability Implementation. This requires that the ASAs have identical software, licensing, memory, and interfaces. There are three possible high availability options to protect against downtime, which we'll explore here.

Active/Standby Failover Implementation: In this model, only one of the firewalls is responsible for processing traffic, while the other is designated as a hot standby. The standby device has the ability to take over traffic processing duties in the event that the active device fails.

Active/Active Failover Implementation: In this model, both firewalls actively process traffic as a cluster. The network is able to tolerate the failure of one of the devices, since they are performing identical duties.

This implementation is a bit more complex and requires multiple context mode. With multiple context mode, it’s possible to partition a single ASA into multiple virtual devices, known as security contexts. Each security context acts as an independent device with its own policies, interfaces, and administrators, so multiple contexts are similar to having multiple standalone devices.

To implement Active/Active Failover, two physical firewalls are used. Each of these firewalls are configured into multiple virtual firewalls, or security contexts. In this example, ASA 1 is carved into Security Context 1 and Security Context 2. We also have ASA 2 similarly virtualized into two separate instances:

The next step is to take the virtual security contexts and divide those into failover groups. A failover group is simply a logical grouping of one or more security contexts.

ASA 1 is designated as the primary device, active for Failover Group 1. Similarly, ASA 2 is designated as the secondary device, active for Failover Group 2. The Security Contexts are separated and assigned as follows:

ASA 1:
Security Context 1 – Assigned to Failover Group 1
Security Context 2 – Assigned to Failover Group 2

ASA 2:
Security Context 1 – Assigned to Failover Group 2
Security Context 2 – Assigned to Failover Group 1

The load is distributed so that both ASAs are actively working to back one another up with redundancy.

Clustering Failover Implementation:This clusters together multiple ASAs to act as a single, logical device. The integration and management still work as though this is a single device, but the clustering offers higher throughput and redundancy. This works in a slave/master model similar to the way a RAID disk array works. If one clustered ASA fails, the other has the ability to takeover operations until the failed firewall has been replaced.

The interfaces connect to two different switches, with a virtual port channel connecting the switches together. This must be done on both the inside and outside security zones.

All the best,

Charles Judd - Instructor
CCNA Security & R/S, BS Network Security