07-28-2014 07:56 AM - edited 03-11-2019 09:32 PM
Hi,
we want to deploy four firewalls in cluster in individual interfaces mode. Because we are using individual interfaces mode each interface will have a different IP address.
As the site-to-site VPN is a non-cluster feature, VPN traffic will only be managed by the Master of the cluster.
If the Master switch fails, the IP address of the interface of the new Master will be different, how can the site-to-site VPN recover in the new master Switch?
Which other option I would have to achieve this setup? there is no virtual interface? like a master virtual IP? or any kind of loopback interface?
Thanks a lot.
REgards,
J
07-28-2014 11:13 AM
Hi Jordi,
I am pretty confused with the term cluster here....
If you are going to use ASA as an standalone.... then on the other site end you can mention like this in your crypto map configs... so that ASA1 to 4 with different peer ip address can be connected using this command line.... i am sure for dual wan it works well... i am not sure for the quadra WAN here....
crypto map test 20 set peer 1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4
Dual WAN Site to Site:
http://cuckoonetworks.blogspot.in/
Regards
Karthik
07-28-2014 11:17 AM
Hi Karthik,
thanks for the answer I will need to think about it.
from the ASA modes:
- Active/Passive
- Active/Active
- CLuster (since 9.0 ASA) --> this is my cluster. Mine is between DCs inter-site cluster so since 9.1
Do you think it will work in my scenario?
thanks a lot.
Regards,
Jordi
07-28-2014 11:40 AM
Hi Karthik,
that command looks very good for the solution I am looking for. My big question with the ASA cluster is if all the VPNs will be UP or only the VPN pointing the Master unit will be UP...
But even if the 4th links are UP, the traffic will always go from left to right to the first available peer, right?
There is no need for ip SLA to know that the other ASA is down? How it monitors if the first IP was down and then it got back UP? It is preemptive?
thanks a lot.
REgards,
J
07-28-2014 08:59 PM
Hi,
Can you update your sample design how the site to site is connected for you? so that i can suggest for a solution....
yes in that blog ip sla is missing, i will add in the same blog....
Regards
Karthik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide