Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1086
Views
0
Helpful
5
Replies

Re:High Availability in ASA5510

CSCO11776584
Level 1
Level 1

‎07-09-2012 05:41 AM - edited ‎03-11-2019 04:28 PM

Hi All,

I have question as well as a problem. I want to set-up a HA for ASA5510. I wanted to design the network to achieve HA. I am attaching the present set-up of the network. At present, I have 2 ISPs connections terminating in ASA5510. The configuration is done for failover in ASA5510.

I have another ASA5510 and want to use it for HA. I needed to know the design for the set-up. I want a stateless failover since the amount of traffic is less. I don't have any ISP routers in the present network. I suppose I need 2 routers for HA and couple of switches.

One more question is that, as there are SSL VPN users, is there any way for the users to not get disconnected when one device fails.

I am very much waiting for your reply and I thank you in advance.

Regards,

Prashant K

Labels:
Preview file
37 KB
Preview file
53 KB
Preview file
60 KB
0 Helpful
5 Replies 5

Karsten Iwen
VIP
VIP

‎07-09-2012 05:50 AM

you don't need any supporting devices for HA on the ASA. If you have the SecPlus-license, then you can activate Active/Standby Failover and the functionality you have now will work the same as before. Of cource you need mote switchports because there are now three interfaces more to connect.

And you should use statefull failover where most of the VPN-session-state is replicated to the standby ASA. There your users won't be disconnected.

0 Helpful

CSCO11776584
Level 1
Level 1
In response to Karsten Iwen

‎07-09-2012 05:54 AM

Hi Karsten,

Thanks for your reply. Can you provide design for this network.

Regards,

Prashant K

0 Helpful

Karsten Iwen
VIP
VIP
In response to CSCO11776584

‎07-09-2012 08:39 AM

After reading your message again it's not clear for me: Do you already have failover deployed or are you planning for the deployment?

0 Helpful

CSCO11776584
Level 1
Level 1
In response to Karsten Iwen

‎07-09-2012 08:50 AM

Hi Karsten,

I haven't still deployed it. I am planning to deploy it. I have attached 2 proposed topologies(LAN Pool and WAN Pool). Kindly let me know your feedbacks on this.

Regards,

Prashant K

0 Helpful

Karsten Iwen
VIP
VIP
In response to CSCO11776584

‎07-09-2012 09:08 AM

ok, then start with the following document:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_overview.html

First implement statefull Acive/Standby failover as described in the config-guide. With that you have the ASA-High-Availability and your VPN-Sessions are also replicated.

As a second step you could extend your setup with the WAN-Routers to use both ISPs simultaneously. But be aware that this needs a more complex configuration with policy-based routing. You need to ensure that the traffic always leaves through the ISP where the traffic also entered the network.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card