cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1478
Views
0
Helpful
3
Replies

Cisco ASA IPSEC VPN

Raj Sh
Level 1
Level 1

Hi 

Do we have support for stateful failover of SITE to Site IPSEC tunnel on Multicontext mode.?

I have pair of ASAs 5515-x  with 9.8(2) 

i read the ASA Document...however still not clear.

 

Guidelines for IPsec VPNsMulticontext
Context Mode Guidelines
Supported in single or multiple context mode. Anyconnect Apex license is required for remote-access VPN in multi-context mode. Although ASA does not specifically recognize an AnyConnect Apex license, it enforces licenses characteristics of an Apex license such as AnyConnect Premium licensed to the platform limit, AnyConnect for mobile, AnyConnect for Cisco VPN phone, and advanced endpoint assessment.

Firewall Mode Guidelines
Supported in routed firewall mode only. Does not support transparent firewall mode.

Failover Guidelines
IPsec VPN sessions are replicated in Active/Standby failover configurations only.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-ike.html#ID-2441-000000bc 

 

 

 

1 Accepted Solution

Accepted Solutions

Ah OK. since you have multiple context (seen on <5% of the hundreds of ASAs I have worked on) then, no - stateful failover is not supported for the site-to-site VPNs since "IPsec VPN sessions are replicated in Active/Standby failover configurations only." (yours is "Active-Active" in Cisco terms)

View solution in original post

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

Yes, failover of an ASA HA pair with active site-to-site VPN should not require re-establishment of the VPN tunnel as the state is replicated between the units. (assuming you have a failover state interface configured)

Thank you for your response Marvin,

I want to have an Active - Active setup between 2 buildings within same campus.

ISP1 on  FW1 

ISP2 on  FW2

Context Office1 active on FW1 standby on FW2

Context Office2 active on FW2 Standby on FW1 

Both context has site to site IPSEC to same headend HQ and remote offices

And i want statefull failover of S2S IPSEC tunnel 

 

The reason for my confusion is below statement

I found this under High availability options - > Frequently Asked Questions About VPN Load Balancing in the below link.

Multiple Context Mode
Q.Is VPN load balancing supported in multiple context mode?
A.Neither VPN load balancing nor stateful failover is supported in multiple context mode

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-ha.html 

Ah OK. since you have multiple context (seen on <5% of the hundreds of ASAs I have worked on) then, no - stateful failover is not supported for the site-to-site VPNs since "IPsec VPN sessions are replicated in Active/Standby failover configurations only." (yours is "Active-Active" in Cisco terms)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: