cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1234
Views
0
Helpful
4
Replies
Beginner

ASA Cluster site-to-site VPN

Hi,

I have 2 ASA firewalls in 2 DCs and I want to upgrade them to cluster the 4 firewalls into 1 logical firewall.

My question is about site-to-site VPN.

1- The master will handle the site-to-site VPNs,  but if the master firewalls fails, then a new master firewall will be re-elected and then the site-to-site VPN connections will be automatically reconnected at the new master firewall or not?

2- In case it needs to be manually reconnected it means that I will need to put configuration on the new master firewall after the old firewall failed?

3- Which kind of Site-to-site VPN I will be able to do with ASA clustering:

 -DWVPN?

- IPSEC VPN?

- Both?

Thank you very much for your time and attention.

Regards,

J

 

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Mentor

No, when all units share a

No, when all units share a single config (as stated in the documentation), then all ASAs in the cluster have the config for the VPN. With that, the new master should be able to build the VPN again without any manual tasks.

View solution in original post

4 REPLIES 4
VIP Mentor

Again based on the

Again based on the documentation, the cluster members share a single config and centralized features have to reastablish on the new master after the original one fails.

For you question 3): The ASA doesn't support DMVPN at all. You have to use pure IPSec or handle Site-to-Site VPNs on a device that has better capabilities like ISR G2 or ASR.

Beginner

Hi Karsten,thanks for te

Hi Karsten,

thanks for te reply. Sorry that I have limited english skills, just to verify I understood correctly.

You mean that if the master fails I will need to go to the new master firewall and configure the site-to-site tunnel?

Thanks

J

VIP Mentor

No, when all units share a

No, when all units share a single config (as stated in the documentation), then all ASAs in the cluster have the config for the VPN. With that, the new master should be able to build the VPN again without any manual tasks.

View solution in original post

Beginner

Thanks a lot Karsten for the

Thanks a lot Karsten for the explanation, now I understood.

Regards,

J

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here