Solved: Remote access support in 9.5

a.agoudi1 · ‎11-05-2015

We have to Cisco ASA's at a customer site. At the moment they are in single context mode (active/passive) and thus used for failover.

We want to change this to an active/active configuration but the problem is that we use remote access VPN. We need to find a solution for the VPN limitation before we can implement the active/active configuration. 1 solution is put another firewall in the topology dedicated for the VPN connections.

The other possible solution is using DirectAccess within Windows.

I would like to know if this is supported when both ASA's are multiple context mode. I cannot find an answer to this anywhere. Also if someone knows this in depth, why is VPN not working in a active/active configuration? I understand the 2 ASA's will behave as one single virtual machine, but what exactly is the reason it doesn't work in multiple context mode? Also @cisco when will remote access VPN be supported in multiple context mode?

Thanks in advance!

Akira Muranaka · ‎11-07-2015

Hello,

Unfortunately, security context on multiple context mode (or Act/Act pair) is not real virtual machine such as virtual machine on ESXi or VMware Workstation. Security context will be behaving a virtual firewall, but it is not perfect one. So it has some limitations (e.g. VPN, Routing, QoS, etc)

Multiple context mode started to support Site-to-site VPN from 9.0. Therefore, RemoteVPN might be supported in the future.., but latest ASA version 9.5 does not support Remote VPN. So the future of the support is unclear.

ASA9.5:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/ha-contexts.html#ID-2171-0000015b
--------------------------------------------------------
Guidelines for Multiple Context Mode
-- snip --
Unsupported Features
Multiple context mode does not support the following features:
RIP
OSPFv3. (OSPFv2 is supported.)
Multicast routing
Threat Detection
Unified Communications
QoS
Remote access VPN. (Site-to-site VPN is supported.) <--- THIS
--------------------------------------------------------

I think if you will migrates your ASAs to multiple context mode for Act/Act support, as your mentioned, putting another ASA for accepting Remote VPN would be prefered solution.

View solution in original post

Peter Koltl · ‎03-18-2017

Remote access support in 9.5(2)

https://supportforums.cisco.com/discussion/12980056/multi-context-asa-ssl-vpn-question

View solution in original post

Akira Muranaka · ‎11-07-2015

Hello,

Unfortunately, security context on multiple context mode (or Act/Act pair) is not real virtual machine such as virtual machine on ESXi or VMware Workstation. Security context will be behaving a virtual firewall, but it is not perfect one. So it has some limitations (e.g. VPN, Routing, QoS, etc)

Multiple context mode started to support Site-to-site VPN from 9.0. Therefore, RemoteVPN might be supported in the future.., but latest ASA version 9.5 does not support Remote VPN. So the future of the support is unclear.

ASA9.5:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/ha-contexts.html#ID-2171-0000015b
--------------------------------------------------------
Guidelines for Multiple Context Mode
-- snip --
Unsupported Features
Multiple context mode does not support the following features:
RIP
OSPFv3. (OSPFv2 is supported.)
Multicast routing
Threat Detection
Unified Communications
QoS
Remote access VPN. (Site-to-site VPN is supported.) <--- THIS
--------------------------------------------------------

I think if you will migrates your ASAs to multiple context mode for Act/Act support, as your mentioned, putting another ASA for accepting Remote VPN would be prefered solution.

Peter Koltl · ‎03-18-2017

Remote access support in 9.5(2)

https://supportforums.cisco.com/discussion/12980056/multi-context-asa-ssl-vpn-question

DirectAccess possible with Multiple Context Mode?