Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1862
Views
8
Helpful
3
Replies

Anyconnect VPN with Multicontext

Hemant Bharati
Cisco Employee
Cisco Employee

‎12-02-2016 01:08 AM

I am working on a solution where requirement is Remote Access VPN Service for Multiple customers over Shared Infrastructure.

ASA multi Context with Remote-Access VPN solution fits best into this requirement , can anyone help me on below queries

  1. Which ASA model will be best for this per context requirement 1000 clients and scale to 2000 clients i.e total 2kx5 customer = 10000.
  2. Multi context Anyconnect numbers  for ASA 5585 with SSP-20 matches number of 10k, but what is the per context limit ?
  3. Any Caveats to be considered in this type of Shared infra solution.

Multicontext Anyconnect VPN

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200353-ASA-Multi-Context-Mode-Remote-Access-A.html

Labels:
3 Replies 3

pcarco
Cisco Employee
Cisco Employee

‎12-05-2016 08:37 AM

Hello,

In regards to the "Any Caveats to be considered in this type of Shared infra solution" question  I am the AnyConnect TME and I just wanted to make sure you are aware of the current limitations of using Multi-Context with AnyConnect.  If Posture Assessment either on the ASA with Hostscan or via the ISE posture module is a requirement then this is not the correct solution yet. 

I am going to tag a TME from the ASA group to help you with sizing but the published data sheets should also help you along. .

@nandakum  for further comment on ASA sizing and future MC support for remote access

Unsupported Features

  • IKEv2, IKEv1
  • Stateful Failover
  • Flash virtualization
  • AnyConnect image configuration per context
  • WebLaunch
  • Client profile download
  • DAP and CoA
  • CSD/Hostscan
  • VPN Load-balancing
  • Username-from-certificate and prefill-username
  • Customization/Localization

See this document.

ASA: Multi-Context Mode Remote-Access (AnyConnect) VPN - Cisco

In example below.

Note: ASA5585 offers 10,000 maximum Cisco AnyConnect user sessions and in this example 4000 Cisco AnyConnect user session is allocated per context.

Muhammad Munir
Level 5
Level 5

‎12-20-2016 08:54 AM

Hi Bharati

Just to add some minor information here. You can also deploy ASA 5585 with SSP-40, which also supports 10000 Site - to - site VPN along with greater capacity features than SSP-20.

0 Helpful

Hemant Bharati
Cisco Employee
Cisco Employee
In response to Muhammad Munir

‎12-20-2016 07:00 PM

For this solution , the ASA will work in Active-Standby or Active-Active mode ?  How to achieve site level redundancy here ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card