cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2061
Views
0
Helpful
4
Replies

ASA Cluster site-to-site VPN

Jordi Benet
Level 1
Level 1

Hi,

I have 2 ASA firewalls in 2 DCs and I want to upgrade them to cluster the 4 firewalls into 1 logical firewall.

My question is about site-to-site VPN.

1- The master will handle the site-to-site VPNs,  but if the master firewalls fails, then a new master firewall will be re-elected and then the site-to-site VPN connections will be automatically reconnected at the new master firewall or not?

2- In case it needs to be manually reconnected it means that I will need to put configuration on the new master firewall after the old firewall failed?

3- Which kind of Site-to-site VPN I will be able to do with ASA clustering:

 -DWVPN?

- IPSEC VPN?

- Both?

Thank you very much for your time and attention.

Regards,

J

 

 

1 Accepted Solution

Accepted Solutions

No, when all units share a single config (as stated in the documentation), then all ASAs in the cluster have the config for the VPN. With that, the new master should be able to build the VPN again without any manual tasks.

View solution in original post

4 Replies 4

Again based on the documentation, the cluster members share a single config and centralized features have to reastablish on the new master after the original one fails.

For you question 3): The ASA doesn't support DMVPN at all. You have to use pure IPSec or handle Site-to-Site VPNs on a device that has better capabilities like ISR G2 or ASR.

Hi Karsten,

thanks for te reply. Sorry that I have limited english skills, just to verify I understood correctly.

You mean that if the master fails I will need to go to the new master firewall and configure the site-to-site tunnel?

Thanks

J

No, when all units share a single config (as stated in the documentation), then all ASAs in the cluster have the config for the VPN. With that, the new master should be able to build the VPN again without any manual tasks.

Thanks a lot Karsten for the explanation, now I understood.

Regards,

J

Review Cisco Networking for a $25 gift card