Cisco Cisco ASA 5585-X with No Payload Encryption Manual Técnica
Introduction
The failover configuration requires two identical security appliances connected to each other through a
dedicated failover link and, optionally, a stateful failover link. The health of the active interfaces and units is
monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs.
dedicated failover link and, optionally, a stateful failover link. The health of the active interfaces and units is
monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs.
The security appliance supports two failover configurations, Active/Active Failover and Active/Standby
Failover. Each failover configuration has its own method to determine and perform failover. With
Active/Active Failover, both units can pass network traffic. This lets you configure load balancing on your
network. Active/Active Failover is only available on units that run in multiple context mode. With
Active/Standby Failover, only one unit passes traffic while the other unit waits in a standby state.
Active/Standby Failover is available on units that run in either single or multiple context mode. Both failover
configurations support stateful or stateless (regular) failover.
Failover. Each failover configuration has its own method to determine and perform failover. With
Active/Active Failover, both units can pass network traffic. This lets you configure load balancing on your
network. Active/Active Failover is only available on units that run in multiple context mode. With
Active/Standby Failover, only one unit passes traffic while the other unit waits in a standby state.
Active/Standby Failover is available on units that run in either single or multiple context mode. Both failover
configurations support stateful or stateless (regular) failover.
This document focuses on how to configure an Active/Active Failover in Cisco PIX/ASA Security Appliance.
Refer to PIX/ASA 7.x Active/Standby Failover Configuration Example in order to learn more information
about the Active/Standby Failover configurations.
about the Active/Standby Failover configurations.
Note: VPN failover is not supported on units that run in multiple context mode as VPN is not supported in
multiple context. VPN failover is available only for Active/Standby Failover configurations in single context
configurations.
multiple context. VPN failover is available only for Active/Standby Failover configurations in single context
configurations.
This configuration guide provides a sample configuration to include a brief introduction to the PIX/ASA 7.x
Active/Active technology. Refer to the Cisco Security Appliance Command Reference, Version 7.2 for a
more in−depth sense of the theory based behind this technology.
Active/Active technology. Refer to the Cisco Security Appliance Command Reference, Version 7.2 for a
more in−depth sense of the theory based behind this technology.
Prerequisites
Requirements
Hardware Requirement
The two units in a failover configuration must have the same hardware configuration. They must be the same
model, have the same number and types of interfaces, and the same amount of RAM.
model, have the same number and types of interfaces, and the same amount of RAM.
Note: The two units do not need to have the same size Flash memory. If you use units with different Flash
memory sizes in your failover configuration, make sure the unit with the smaller Flash memory has enough
space to accommodate the software image files and the configuration files. If it does not, configuration
synchronization from the unit with the larger Flash memory to the unit with the smaller Flash memory fails.
memory sizes in your failover configuration, make sure the unit with the smaller Flash memory has enough
space to accommodate the software image files and the configuration files. If it does not, configuration
synchronization from the unit with the larger Flash memory to the unit with the smaller Flash memory fails.
Software Requirement
The two units in a failover configuration must be in the operational modes (routed or transparent, single or
multiple context). They must have the same major (first number) and minor (second number) software
version, but you can use different versions of the software within an upgrade process; for example, you can
upgrade one unit from Version 7.0(1) to Version 7.0(2) and have failover remain active. Cisco recommends
that you upgrade both units to the same version to ensure long−term compatibility.
multiple context). They must have the same major (first number) and minor (second number) software
version, but you can use different versions of the software within an upgrade process; for example, you can
upgrade one unit from Version 7.0(1) to Version 7.0(2) and have failover remain active. Cisco recommends
that you upgrade both units to the same version to ensure long−term compatibility.
Refer to Performing Zero Downtime Upgrades for Failover Pairs for more information about upgrading the
software on a failover pair.
software on a failover pair.
License Requirements