RE: ASA active/active?

so I almost have to use statics from the CE then redis these into BGP..?

>I would say you do... with an optional ip sla & tracked object on the CE to make sure the static route is pinging through the ASA that is up before advertising :)

what would the return path from the server be? I will have to use default on the switch or run IGP here?

>default to inside of the ASA at the site from the local switch. There should be a vlan & subnet between the inside of each ASA and the L3 switch behind it.

I really need the ASA virtual ip to be the same for things to work, I read somewhere contexts can share the same VIP

>it sounds like you need a load balancer to grab all the servers into a common pool. Absent of a load balancer - you are stuck doing some type of funky anycast, where a secondary IP is bound to each server, the servers run ospf/rip with the adjacent switch and the routing figures out where to send what... crazy.

You definitely need an F5, ACE or Netscaler to tie this all together.

The only thing I can think of it is tying it all together in DNS.

Can you give us more information about the host ip's/subnets behind each ASA?

Where are you located?

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Tony Singh
Sent: Saturday, December 22, 2012 3:16 AM
To: Thomas Perrier; Joseph L. Brunner; marc abel
Cc: Cisco certification
Subject: Re: ASA active/active?

Hi Joe /Marc /Thomas

There are two sites

The servers are hosted environments and I am not allowed to run dynamic on the ASA's already checked :/

So it leaves me kind of stumped, there is a VPN between the sites that PE is responsible for where I will start using EBGP I run iBGP between the L2 trunk but I need to send the PE ip traffic to the ASA's so I almost have to use statics from the CE then redis these into BGP..?

I'm trying to lab this but problem I'll have is Site 2 will have traffic come into the CE>go over the trunk>ASA site 1> destination if it is active/standby?

If its active/active do I run two contexts ctx1 Site1 is active & ctx2 Site2 is active? Then point the default route into the switches HSRP VIP address for server forwarding, what would the return path from the server be? I will have to use default on the switch or run IGP here?

I really need the ASA virtual ip to be the same for things to work, I read somewhere contexts can share the same VIP

Thanks for your advice, I'm losing sleep over this

--
BR
Tony
Sent from my iPhone on 3
On 22 Dec 2012, at 07:30, Thomas Perrier <thomas_at_perrier.name> wrote:
> Joseph,
> 
> On Sat, Dec 22, 2012 at 1:13 AM, Joseph L. Brunner 
> <joe_at_affirmedsystems.com> wrote:
> 
>> If 1 physical site and multiple destination "web sites" behind a 
>> single pair of asa's then you have to remember - active/active mode 
>> requires multiple security contexts - so then you can aim static 
>> routes (the only routes supported in multicontext mode) at the asa's
> 
> Since version 9.0, the ASA supports dynamic routing protocols in 
> multicontext mode. And site-to-site VPN too, BTW. Lots of good stuff 
> in this release.
> 
> -Thomas
> 
> 
> Blogs and organic groups at http://www.ccie.net
> 
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net