Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1875
Views
0
Helpful
4
Replies

ASA Cluster site-to-site VPN

Go to solution
Jordi Benet
Level 1
Level 1

‎03-16-2014 04:56 AM - edited ‎03-11-2019 08:57 PM

Hi,

I have 2 ASA firewalls in 2 DCs and I want to upgrade them to cluster the 4 firewalls into 1 logical firewall.

My question is about site-to-site VPN.

1- The master will handle the site-to-site VPNs,  but if the master firewalls fails, then a new master firewall will be re-elected and then the site-to-site VPN connections will be automatically reconnected at the new master firewall or not?

2- In case it needs to be manually reconnected it means that I will need to put configuration on the new master firewall after the old firewall failed?

3- Which kind of Site-to-site VPN I will be able to do with ASA clustering:

 -DWVPN?

- IPSEC VPN?

- Both?

Thank you very much for your time and attention.

Regards,

J

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to Jordi Benet

‎03-16-2014 06:01 AM

No, when all units share a single config (as stated in the documentation), then all ASAs in the cluster have the config for the VPN. With that, the new master should be able to build the VPN again without any manual tasks.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Karsten Iwen
VIP
VIP

‎03-16-2014 05:33 AM

Again based on the documentation, the cluster members share a single config and centralized features have to reastablish on the new master after the original one fails.

For you question 3): The ASA doesn't support DMVPN at all. You have to use pure IPSec or handle Site-to-Site VPNs on a device that has better capabilities like ISR G2 or ASR.

0 Helpful

Go to solution
Jordi Benet
Level 1
Level 1
In response to Karsten Iwen

‎03-16-2014 05:39 AM

Hi Karsten,

thanks for te reply. Sorry that I have limited english skills, just to verify I understood correctly.

You mean that if the master fails I will need to go to the new master firewall and configure the site-to-site tunnel?

Thanks

J

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Jordi Benet

‎03-16-2014 06:01 AM

No, when all units share a single config (as stated in the documentation), then all ASAs in the cluster have the config for the VPN. With that, the new master should be able to build the VPN again without any manual tasks.

0 Helpful

Go to solution
Jordi Benet
Level 1
Level 1
In response to Karsten Iwen

‎03-16-2014 06:04 AM

Thanks a lot Karsten for the explanation, now I understood.

Regards,

J

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card