VPN Concentrator redundancy / failover

rajibchicago · ‎11-16-2009

We had one VPN concentrator (3000 ip 170.48.29.xx) in our main datacenter, currently we are establishing a second data center in another city, we will have an ASA (ip 69.87.39.xx) as VPN concentrator for the 2nd data center. All our users (S2s, vpn client) now connect to the main VPN concentrator (ip 170.48.29.6), if possible I would like to use the ASA as the failover VPN concentrator, if the primary one fails, it will take over as the primary without any user (end point) configuration change. Is this possible?

Thanks for your help.

Richard Burts · ‎11-20-2009

For Remote Access VPN using the IPSec VPN client I believe that it is possible to have the ASA function as the backup concentrator and for users to connect to it automatically if the primary is not available and not require any config change in the client. The IPSec client has a parameter for backup concentrator and the 3000 concentrator can be configured to push the address of the ASA as the backup to the client. I have configured this for some customers and it works quite well.

For site to site VPN I do not believe that it is possible to have the ASA function as backup without config changes. Depending on the capabilities of the device at the other end of the site to site VPN you may be able to configure a second peer address in the crypto map which would allow the device to use the ASA if the 3000 is not available. But that certainly requires a config change.

HTH

Rick

HTH

Rick

VPN Concentrator redundancy / failover

Firewall: ASA Failover，FTD HA の 'Negotiation' ステータスについて

Cisco ASA5500 VPN のFailover設定

ASA: 冗長機能と、Failoverのトリガー、Health Monitoringについて

Anyconnect flex vpn failover

BGP AUTO FAILOVER