Active-active and active-passive are two high-availability (HA) configurations for firewalls, each with its own advantages and disadvantages, however Meraki MX85 does not support active-active operation.
Active-Active operation does however have a few "caveats"...
Complexity: Active-active configurations are more complex to design and manage. Both firewalls are actively processing traffic, which requires advanced design concepts and additional configuration, such as activating networking protocols on both firewalls and replicating NAT pools.
Troubleshooting: It is significantly easier to troubleshoot routing and traffic flow issues in an active-passive setup. In active-active mode, both firewalls maintain their own session and routing tables, which can complicate troubleshooting efforts.
Layer 2 Deployment: Active-passive mode supports Layer 2 deployments, whereas active-active mode does not. This can limit the applicability of active-active configurations in certain network environments.
DHCP Support: In active-active mode, only the active-primary firewall can function as a DHCP Relay. If the active-secondary firewall receives DHCP broadcast packets, it drops them. This limitation does not exist in active-passive mode.
Load Balancing: Active-active configurations do not inherently load-balance traffic. While you can load-share by sending traffic to the peer, no true load balancing occurs. This can lead to inefficiencies in traffic management.
Cost and Resource Utilization: Active-active configurations can be more resource-intensive and costly, as both firewalls are actively processing traffic. In contrast, active-passive setups have one firewall in standby mode, which can be more cost-effective and simpler to manage.
Overall, active-passive configurations are often preferred for their simplicity, ease of troubleshooting, and lower resource requirements, making them suitable for many network environments.
-Espen