topic Re: Cisco ASA IPSEC VPN in Network Security

Cisco ASA IPSEC VPN

Raj Sh — Mon, 17 May 2021 13:11:35 GMT

Do we have support for stateful failover of SITE to Site IPSEC tunnel on Multicontext mode.?

I have pair of ASAs 5515-x with 9.8(2)

i read the ASA Document...however still not clear.

Guidelines for IPsec VPNsMulticontext
Context Mode Guidelines
Supported in single or multiple context mode. Anyconnect Apex license is required for remote-access VPN in multi-context mode. Although ASA does not specifically recognize an AnyConnect Apex license, it enforces licenses characteristics of an Apex license such as AnyConnect Premium licensed to the platform limit, AnyConnect for mobile, AnyConnect for Cisco VPN phone, and advanced endpoint assessment.

Firewall Mode Guidelines
Supported in routed firewall mode only. Does not support transparent firewall mode.

Failover Guidelines
IPsec VPN sessions are replicated in Active/Standby failover configurations only.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-ike.html#ID-2441-000000bc

Re: Cisco ASA IPSEC VPN

Marvin Rhoads — Mon, 17 May 2021 16:54:07 GMT

Yes, failover of an ASA HA pair with active site-to-site VPN should not require re-establishment of the VPN tunnel as the state is replicated between the units. (assuming you have a failover state interface configured)

Re: Cisco ASA IPSEC VPN

Raj Sh — Tue, 18 May 2021 04:48:42 GMT

Thank you for your response Marvin,

I want to have an Active - Active setup between 2 buildings within same campus.

ISP1 on FW1

ISP2 on FW2

Context Office1 active on FW1 standby on FW2

Context Office2 active on FW2 Standby on FW1

Both context has site to site IPSEC to same headend HQ and remote offices

And i want statefull failover of S2S IPSEC tunnel

The reason for my confusion is below statement

I found this under High availability options - > Frequently Asked Questions About VPN Load Balancing in the below link.

Multiple Context Mode
Q.Is VPN load balancing supported in multiple context mode?
A.Neither VPN load balancing nor stateful failover is supported in multiple context mode

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-ha.html

Re: Cisco ASA IPSEC VPN

Marvin Rhoads — Tue, 18 May 2021 08:25:18 GMT

Ah OK. since you have multiple context (seen on <5% of the hundreds of ASAs I have worked on) then, no - stateful failover is not supported for the site-to-site VPNs since "IPsec VPN sessions are replicated in Active/Standby failover configurations only." (yours is "Active-Active" in Cisco terms)