07-09-2012 05:41 AM - edited 03-11-2019 04:28 PM
Hi All,
I have question as well as a problem. I want to set-up a HA for ASA5510. I wanted to design the network to achieve HA. I am attaching the present set-up of the network. At present, I have 2 ISPs connections terminating in ASA5510. The configuration is done for failover in ASA5510.
I have another ASA5510 and want to use it for HA. I needed to know the design for the set-up. I want a stateless failover since the amount of traffic is less. I don't have any ISP routers in the present network. I suppose I need 2 routers for HA and couple of switches.
One more question is that, as there are SSL VPN users, is there any way for the users to not get disconnected when one device fails.
I am very much waiting for your reply and I thank you in advance.
Regards,
Prashant K
07-09-2012 05:50 AM
you don't need any supporting devices for HA on the ASA. If you have the SecPlus-license, then you can activate Active/Standby Failover and the functionality you have now will work the same as before. Of cource you need mote switchports because there are now three interfaces more to connect.
And you should use statefull failover where most of the VPN-session-state is replicated to the standby ASA. There your users won't be disconnected.
07-09-2012 05:54 AM
Hi Karsten,
Thanks for your reply. Can you provide design for this network.
Regards,
Prashant K
07-09-2012 08:39 AM
After reading your message again it's not clear for me: Do you already have failover deployed or are you planning for the deployment?
07-09-2012 08:50 AM
Hi Karsten,
I haven't still deployed it. I am planning to deploy it. I have attached 2 proposed topologies(LAN Pool and WAN Pool). Kindly let me know your feedbacks on this.
Regards,
Prashant K
07-09-2012 09:08 AM
ok, then start with the following document:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_overview.html
First implement statefull Acive/Standby failover as described in the config-guide. With that you have the ASA-High-Availability and your VPN-Sessions are also replicated.
As a second step you could extend your setup with the WAN-Routers to use both ISPs simultaneously. But be aware that this needs a more complex configuration with policy-based routing. You need to ensure that the traffic always leaves through the ISP where the traffic also entered the network.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide