06-12-2008 09:53 PM - edited 03-11-2019 05:58 AM
Hi Guys,
We are planning to deploy ASA 5520 in Active/Standby mode to serve our firewall requirements. At the same time same ASAs are even required to handle remote access VPN using IPSEC. Is it possible to configure VPN load balancing (VCA) in active/standby mode or i need two independent ASA/Firewall to do vpn load balancing.
Many thanks in advance .. Cheers
Raj
06-13-2008 12:50 AM
06-13-2008 01:02 AM
The security appliance supports two failover configurations: Active/Active Failover and Active/Standby Failover. Each failover configuration has its own method to determine and perform failover. With Active/Active Failover, both units can pass network traffic. This lets you configure load balancing on your network. Active/Active Failover is only available on units that run in multiple context mode. With Active/Standby Failover, only one unit passes traffic while the other unit waits in a standby state. Active/Standby Failover is available on units that run in either single or multiple context mode. Both failover configurations support stateful or stateless (regular) failover.
so in your case, vpn load balancing is not possible in active / standby mode because only one ASA is active
Active/Active mode will do it.
07-11-2008 04:41 PM
According to the manual (and actual hands on):
VPNs work only in single, routed mode. VPN functionality is unavailable in configurations that include either security contexts, also referred to as multi-mode firewall, or Active/Active stateful failover.
The exception to this caveat is that you can configure and use one connection for administrative purposes to (not through) the security appliance in transparent mode.
Moreover: when the security appliance is configured for Active/Active stateful failover, you cannot enable IPSec
or SSL VPN. Therefore, these features are unavailable. VPN failover is available for Active/Standby
failover configurations only.
I don't even need to tell you how sad I am because of that. Whatever.... life must go on...
If anybody knows something or has some sort of workaround, other than investing in two more Cisco ASA units dedicated to VPN functionality, please let me know!
Peace!
08-22-2008 08:35 AM
yes, no vpn in active/active... but i guess the question is can you do "vpn load balancing" in the active/standby configuration? I haven't tried it, but cisco's documentation says
"The security appliance also provides load balancing, which is different from failover. Both failover and load balancing can exist on the same configuration."
This load balancing they are referring to is VPN load balancing feature (not Active/Active failover). I haven't actually tried it, but would be curious to know if it works. This problem is actually huge, because if it doesn't work, then customer would have to buy twice as many SSL VPN licenses if their ASA pair has FW failover configured
08-22-2008 01:39 PM
Confirmed and tested
You can not do VPN load balancing if you have failover enabled. If VPN load balancing is enabled and then you enable failover, VPN load balancing databases loses the standby peer.
The following statement in cisco's ASA config guide is NOT true:
"The security appliance also provides load balancing, which is different from failover. Both failover and load balancing can exist on the same configuration."
And I'm sure they are referring to VPN load balancing and not to Active/Active load balancing, because the URL link after that statement goes directly to the VPN load balancing section of the ASA configuration guide
08-22-2008 02:49 PM
Are you assuming only two ASA's?
08-23-2008 05:00 AM
yes 2 asa's
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide