Solved: Re: Cisco Fpr2130-Asa-k9 cluster for VPN SSL And Site to site VPN

ifabrizio · ‎03-31-2020

Dear All,

I am plannig to cluster two Cisco FPR2130-asa-k9 to maximize the througtput for my remote VPN users(Anyconnect).

Is it possible? I see that old Asa5520 with 9.1 doesn't support vpn if cluster is in place.

BR,

JF.

Marvin Rhoads · ‎03-31-2020

Clustering is not supported on Firepower 2130 appliances running ASA image.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/configuration/general/asa-913-general-config/ha-cluster.html#ID-2170-00000361

View solution in original post

ifabrizio · ‎04-01-2020

Hi Cristian,

Thanks for your quick reply.

So also create a cluster should be possible, to perform VPN load balance?

View solution in original post

Cristian Matei · ‎04-02-2020

Hi,

ASA Clustering is not supported on that specific HW, the 2100 series. VPN Load Balancing is supported. Here's some references to guide you:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/68328-remotevpn-loadbal-asa.html

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118078-technote-vpn-00.html

https://community.cisco.com/t5/security-documents/asa-vpn-load-balancing-clustering-with-digital-certificates/ta-p/3116616

Regards,

Cristian Matei.

View solution in original post

Cristian Matei · ‎03-31-2020

Hi,

1. Are you speaking about Clustering for High Availability or about VPN Load Balancing?

2. Are you speaking about S2S VPN's or remote access VPN's?

Regards,

Cristian Matei.

Marvin Rhoads · ‎03-31-2020

Clustering is not supported on Firepower 2130 appliances running ASA image.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/configuration/general/asa-913-general-config/ha-cluster.html#ID-2170-00000361

ifabrizio · ‎03-31-2020

Thanks Marvin,

There are another way to load balance remote users VPN on the two 2130?

Cristian Matei · ‎04-01-2020

VPN Load Balancing.

Marvin Rhoads · ‎04-01-2020

Like @Cristian Matei said, VPN load balancing is the most common method for appliances with ASA image. (It's not supported on FTD image.)

Another method is round robin DNS.

If you have a load balancer or "application delivery controller (ADC)" like Citrix Netscaler or F5 BigIP you may be able to put your ASAs behind it and to load balancing on the ADC.

Also, depending on your deployment, Optimal Gateway Selection (OGS) is a potential option. That one is usually for organizations with their ASAs spread out in different locations geographically.

Cristian Matei · ‎04-01-2020

Hi,

@Marvin Rhoads Thanks for the additional solutions. As a general fact (from experience with OGS), unless you really have geographically dispersed VPN gateways (in which case OGS becomes an option to be considered), VPN Load Balancing is a much simpler and more functional/stable solution, with less headaches.

Regards,

Cristian Matei.

ifabrizio · ‎04-01-2020

Hi Marvin,

Ok it is clear for me thank you.

But the 2130 that I own do not has a FTD Image, they are Fpr2130-Asa-k9 so ,should have "standard" Asa Image, is it true?

Bye

Igor.

Cristian Matei · ‎04-01-2020

Hi,

Correct, you run ASA on the 2100 HW. And all presented options are valid: VPN load balancing (configuration performed on the ASA), DNS based balancing (you would need a balancer in front of your ASA's), AnyConnect OGS (AnyConnect decides on which ASA will terminate the session).

Regards,

Cristian Matei.