02-24-2020 06:00 PM
Hello,
I currently have a 2110 running ASA image. It's used for AnyConnect only. I have 1 arm on the outside(connected through a L2 switch) and 1 arm on the inside (connected through a L2 switch). I bought another 2110 and plan to put ASA image on it and cluster it with my current ASA. Can anyone point me to good documentation around setting this up? I found some good documentation, but it only seems to be for when connecting to Nexus cores using VPCs and not regular port-channels to a 3750 switch for example. Also none of the documents seem to point to being able to use the cluster control link via a direct connection between the 2 ASAs but instead must go through a switch to do this. Is it not possible to build the cluster control link by directly connecting cables directly from the ASA to the other ASA?
Solved! Go to Solution.
03-08-2020 09:05 PM
Don't cluster. Instead just setup simple ASA Active/Standby High Availability (HA). This advice applies for ASA on ASA appliance, ASA on Firepower appliance or even FTD on Firepower appliance scenarios. Clustering generally only makes sense when you are running more than two appliances to gain the increased throughput of a cluster.
No multiple contexts are required. No CCL required, no restriction on inside and outside switches, much easier to setup and works perfectly.
SSL VPN sessions will be synced between active and standby units and if the Active units fails clients will seamlessly be handled by the former Standby unit (newly Active).
04-07-2020 12:01 PM
You set the priority on one of the ASAs to be the master and it will redirect the traffic to the other devices. It does this because the master will monitor the workload on the other devices and divide up the connections based on the feedback from the other servers in the cluster.
02-24-2020 06:18 PM
02-24-2020 07:13 PM
Thank you. I'm running an ASA image on the 2110s though, not FTD. Is this still the case?
02-24-2020 07:54 PM
02-24-2020 07:54 PM
02-24-2020 08:06 PM
Thank you. I'm not doing FTD on the 2110, I'm doing ASA image.
02-24-2020 08:11 PM
yes I think it's necessary. I only have 1 VPN and if it fails, I lose all my clients. so I need to build some sort of redundancy in case my ASA VPN fails
02-25-2020 07:27 PM
03-08-2020 11:56 AM
thank you very much and sorry for the late reply. One thing I'm confused about is since my asa right now is just a single context, i would purchase the second asa and make them both into dual context for a total of 4 contexts. what new context do i make? so I guess I'm wondering if all these contexts would be the same config?
03-08-2020 12:28 PM
I don't believe active/active would be possible in my scenario. the way I understand it now is because when you have 2 contexts, you can have one asa be primary for context1 while the other physical asa is secondary for context1, while the other asa be primary for context2 and the other asa being secondary for context2. if you have only 1 context anyconnect vpn server, then you can't have another of the same server be an active so it would have to be configured as active/standby correct?
03-08-2020 05:58 PM
03-08-2020 09:05 PM
Don't cluster. Instead just setup simple ASA Active/Standby High Availability (HA). This advice applies for ASA on ASA appliance, ASA on Firepower appliance or even FTD on Firepower appliance scenarios. Clustering generally only makes sense when you are running more than two appliances to gain the increased throughput of a cluster.
No multiple contexts are required. No CCL required, no restriction on inside and outside switches, much easier to setup and works perfectly.
SSL VPN sessions will be synced between active and standby units and if the Active units fails clients will seamlessly be handled by the former Standby unit (newly Active).
03-10-2020 01:33 PM
Thanks for Marv. Yeah it looks like for my setup an Active/standby is the only possible way
04-07-2020 10:52 AM
Why wouldn't you want to run VPN Load balancing. This is NOT the same as clustering or firewall active standby. In this scenario you would just enable VPN Load balancing and run each 2100 (on ASA code) as a separate VPN server, then use the CLI or ASDM to create a VPN Load balancing pair. The technology has been around for ever, and here is an older link describing how to configure it.
In this manner, you can have N+1 or have both servers up at the same time. This would provide more throughput capacity so long as you never exceed the 750 user limit (if you only have two boxes). I am seeing more strain on bandwidth right now than I am on user counts.
04-07-2020 11:09 AM
Thank you for bringing this up because Active/Standby will not suffice in my scenario because I need to LB the connections because work from home is growing.
I have 1 question that is not stated in the article. so our vpn dns vpn.xxx.com this resolves to 1 ip address, so when a user connects to our VPN how does this connection get LB'd to the other box? because they both have different IPs, so I'm not sure how the LB'ing works here..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide