01-13-2014 07:46 AM - edited 03-11-2019 08:29 PM
Hi Everyone,
Is it good practice to config VPN failover config on client rather then on VPN gateway itself?
Are there any advantages or disadvantes of this?
Regards
MAhesh
01-13-2014 08:08 AM
Hi Mahesh,
Do you mean situations where
Personally I am more familiar with setting up a Failover pair of ASAs as VPN device but nowadays it more and more rarely that you get to setup a compeletely new ASA setup. (Since customer rather take the cheaper solution than have their own VPN device)
To my understanding the other setup used (not sure how common it is) is when you have multiple VPN devices that are not connected with Failover but rather use Dynamic Routing with RRI (Reverse Route Injection) to install the route for the VPN Client IP on the device to which the host ends up connecting to.
I would say that the Failover pair setup is simpler to configure and manage and probably involves a lot less work to setup compared to the other setup which would require that you run Dynamic Routing in the whole connected network so that the VPN Clients IP is advertised correctly no matter which VPN device the host connects to.
Naturally the Failover pair is harder to setup with ASAs in different locations unless your ISP can provide this connectivity between sites. Naturally the devices can also be at the same location which isnt the ideal situation always (power outages, both devices might brake down due to some problems at that DC/location)
Sadly I have not really setup that many VPN devices as most of my work relates to basic firewalling. So you could probably wait for someone else to give you some more specific information and expiriences with such environments. We have our certain VPN environments in use and when they have been setup we rarely have the need to setup new VPN/Firewall platforms unless its customer specific.
- Jouni
01-13-2014 08:44 AM
Hi Jouni,
Do you mean situations where
We have 2 ASA as different sites.They both are VPN ASA.
Client PC is configured with both the IP of ASA and if one ASA is down then Client can use Another ASA to connect to
Corp Network.
All the config for failover is on Client PC.
Will wait if some another expert put more info on this.
Regards
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide