Hi Mahesh,

Do you mean situations where

• You have a Failover pair of ASAs as VPN devices (or perhaps some router platform) to provide redundancy for VPN users
• You have multiple different ASAs acting as VPN devices but they are not Failover pairs. The VPN Clients then have multiple peer IP addresses which to connect to incase other VPN platform fails

Personally I am more familiar with setting up a Failover pair of ASAs as VPN device but nowadays it more and more rarely that you get to setup a compeletely new ASA setup. (Since customer rather take the cheaper solution than have their own VPN device)

To my understanding the other setup used (not sure how common it is) is when you have multiple VPN devices that are not connected with Failover but rather use Dynamic Routing with RRI (Reverse Route Injection) to install the route for the VPN Client IP on the device to which the host ends up connecting to.

I would say that the Failover pair setup is simpler to configure and manage and probably involves a lot less work to setup compared to the other setup which would require that you run Dynamic Routing in the whole connected network so that the VPN Clients IP is advertised correctly no matter which VPN device the host connects to.

Naturally the Failover pair is harder to setup with ASAs in different locations unless your ISP can provide this connectivity between sites. Naturally the devices can also be at the same location which isnt the ideal situation always (power outages, both devices might brake down due to some problems at that DC/location)

Sadly I have not really setup that many VPN devices as most of my work relates to basic firewalling. So you could probably wait for someone else to give you some more specific information and expiriences with such environments. We have our certain VPN environments in use and when they have been setup we rarely have the need to setup new VPN/Firewall platforms unless its customer specific.

- Jouni