Hello Kbits Team,
I have multicontext ASA Firewall running on Production with Active/Standby Failover Mode.
The firewall are experiencing high CPU because of handling lot of traffic. we have plan to move the failover mode to Active/Active to share the firewall load.
the question.
when we changes the failover mode, will it impact the production traffic ?
is there any recommended way to changes the mode without impacting the production traffic ?
I would say changing from single to multi will wipe the config out as the ASA would create new way of handling configuration and configuration file. This is a completely redesign of ASA config. Therefore, I would treat it as new project and aim to split the traffic in both ASA’s.
I highly recommend you watch Kbits videos on multi-context as the ASA behaviour change slightly on how it handle traffic. Also, read configuration guide on Cisco website for more insight.
In terms of changing without impacting - You will require careful planning by implementing / testing on one ASA (standby) and once you confident it work as it suppose to be then you can switch traffic to it while you configure the other ASA. This mean you need to break the failover between the two units and you doing so with a risk as you don’t have a failover device.