we want to deploy four firewalls in cluster in individual interfaces mode. Because we are using individual interfaces mode each interface will have a different IP address.
As the site-to-site VPN is a non-cluster feature, VPN traffic will only be managed by the Master of the cluster.
If the Master switch fails, the IP address of the interface of the new Master will be different, how can the site-to-site VPN recover in the new master Switch?
Which other option I would have to achieve this setup? there is no virtual interface? like a master virtual IP? or any kind of loopback interface?
Thanks a lot.
I am pretty confused with the term cluster here....
If you are going to use ASA as an standalone.... then on the other site end you can mention like this in your crypto map configs... so that ASA1 to 4 with different peer ip address can be connected using this command line.... i am sure for dual wan it works well... i am not sure for the quadra WAN here....
crypto map test 20 set peer 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52
Dual WAN Site to Site:
thanks for the answer I will need to think about it.
from the ASA modes:
- CLuster (since 9.0 ASA) --> this is my cluster. Mine is between DCs inter-site cluster so since 9.1
Do you think it will work in my scenario?
thanks a lot.
that command looks very good for the solution I am looking for. My big question with the ASA cluster is if all the VPNs will be UP or only the VPN pointing the Master unit will be UP...
But even if the 4th links are UP, the traffic will always go from left to right to the first available peer, right?
There is no need for ip SLA to know that the other ASA is down? How it monitors if the first IP was down and then it got back UP? It is preemptive?
thanks a lot.
Can you update your sample design how the site to site is connected for you? so that i can suggest for a solution....
yes in that blog ip sla is missing, i will add in the same blog....