We have two 5516's in HA at the moment in our data center that are now nothing more than a VPN concentrator. We have resources in both the DC and in our HQ office.
I've been instructed to break the fail-over and bring the secondary to the HQ office. This is so we can use things like Optimal Gateway Selection for the AnyConnect Clients.
My questions to you is, is it worth it? Geographically, we're talking a 30min drive between the 2 locations. I just feel like that is adding complexity for when something does go wrong and I'm also going to have to get additional licenses, new certificates for a FQDN, which sort of feels unnecessary for just an additional tunnel. At the same time, its adding another tunnel to our clients as opposed to just having two ASA's in the same location
Just was curious what you thought about that, and if anyone's had a similar experience. If you think I should break the pair, anything I should be weary of?
Thanks for your time!
its all depends on how business instructing to do.
A couple of questions :
1. you break the cluster - bring back to HQ and join the Cluster or they Operate in standalone mode?
2. Then you need to tell the risk if one fails - all the connections lost and they need to re-connect back to other devices you thinking to set up if this is acceptable, then its all business decision.
- Use show cluster interface-mode to check the current mode
- Use no cluster interface-mode to return to standalone mode.
make sure you take the backup configuration out of the box, do the cluster break-in maintenance mode?
Thanks for the reply, Balaji.
So currently, our ASA's are not in a cluster as shown by the results from the command:
no cluster interface-mode
The original intention was to make them both stand-alone ASAs. That is interesting though. So I could remove the fail-over, bring the standby ASA to the HQ office, configure it for the new environment, and setup the cluster, correct? Would this still give me the ability to have 2 AnyConnect tunnels? With a cluster, do I still need to have separate licensing like I would with having 2 stand-alone ASAs? Are there drawbacks to having them in a cluster?
The main goal from management was to have redundant tunnels in the unlikely event the DC goes down.
check show failover command and see is this configured active /standby mode?
sure once it confirmed they are not in the HA
Login to the device and check any VPN connection or any activity, if nothing you see, turn off the device, and check with your colleagues all ok before you unmount the device and taking off from DC.
Setup the device as fresh node and start using whatever requirement. License yes you need to look that.
Yes, sorry. It's in active/standby mode.
I was planning on breaking that and just having those 2 in standalone, but if having them in a cluster makes more sense, I would do that.
Ok, I will also look to mirror the licenses from the active ASA and add them to the old standby.