07-03-2023 06:18 PM - edited 07-04-2023 04:07 AM
Hello!
I'm trying to create a H.A system by using 2x Nexus 9000 C93180YC-FX3 and 2x Cisco ASA5515-X ipsec
Please check the architecture I've designed:
Note: I'm not experienced network engineer. I know Switch but I don't have any experience with ASA ipsec devices. Thats why I have to ask too many different questions.
My first question is: my architecture solid and correct?
Switch side:
I have only 1 vlan with x/20 subnet. I want to create a default gateway on switches because I want to be fast and don't need ipsec devices for internal routing.
Switch configuration:
1- With VPC setup, How can I create default gateway for a vlan on the VPC domain and route it to Active/Active ipsec devices with loadbalancing?
2- What is your recommendations and special settings if we need?
ASA configuration:
1- How I should configure the ASA devices for active/active cluster setup?
2- I have 1 internet uplink for each ipsec. How should I configure these interfaces?
3- The internet uplinks came from an internal switch, how should I configure these links. With Active/Active stup, we will have 1 outside ip and 2 ipsec devices. I think I need a special setting for this type of usage. Do we need BGP or any other special settings?
4- For ipsec tunnel, I have 1 destination ipsec server but 2 source ipsec device. How can I configure the tunnel?
07-03-2023 11:06 PM
- Checkout this presentation : https://community.cisco.com/t5/data-center-and-cloud-knowledge-base/quick-start-guide-asa-cluster-on-nexus/ta-p/3647341?attachment-id=130418
M.
07-04-2023 04:02 AM
you want to config ASA active/active multi context or active/active cluster ?
07-04-2023 11:08 PM
Active/Active cluster. I don't need multi context.
07-05-2023 01:21 AM
OK, so it cluster
cluster need CCL.
your topology is OK
Port channel from each ASA to both SW (NSK vPC)
single link to outside.
07-06-2023 11:26 AM - edited 07-06-2023 09:11 PM
OK, so it cluster // Active/Active cluster yes.
cluster need CCL. // I will research it thanks.
your topology is OK // Good to hear
Port channel from each ASA to both SW (NSK vPC) // complete
single link to outside. // I have one WAN link for each ASA devices. I think I have to create something like port-channel to be acting as a one for WAN switch right? Do I need to create port-channel between ipsec1+2 and WAN switch port 1+2 ?
07-07-2023 11:40 AM
ONE by ONE friend my ASA not support cluster if it was I will happy to share config.
OUTside is TWO or ONE, according to topology above it only ONE, please share last topology you will use.
07-06-2023 09:07 PM
The next step is configuring the two ASA 5515-X ipsec devices.
device 1: Cisco Adaptive Security Appliance Software Version 9.6(2)
device 2: Cisco Adaptive Security Appliance Software Version 9.1(1) <system> Device Manager Version 6.6(1)
I decided to upgrade firmwares and the latest firmware is this:
After firmware upgrade, I will configure the devices.
07-07-2023 02:55 AM
Hello @Ozy ,
>> 4- For ipsec tunnel, I have 1 destination ipsec server but 2 source ipsec device. How can I configure the tunnel?
if you have a single destination for IPSEC site to site VPN the complex cluster setup is not going to provide you any benefit in comparison with an HA Active/Passive pair.
I will report for your reference an extract from ASA 9.9 configuration guide about limitations with clusters :
"VPN and Clustering on the FXOS Chassis
An ASA FXOS Cluster supports one of two mutually exclusive modes for S2S VPN, centralized or distributed:
• Centralized VPN Mode. The default mode. In centralized mode, VPN connections are established with
the control unit of the cluster only.
VPN functionality is limited to the control unit and does not take advantage of the cluster high availability
capabilities. If the control unit fails, all existing VPN connections are lost, and VPN connected users see
a disruption in service. When a new control unit is elected, you must reestablish the VPN connections.
When you connect a VPN tunnel to a Spanned interface address, connections are automatically forwarded
to the control unit. VPN-related keys and certificates are replicated to all units.
• Distributed VPN Mode. In this mode, S2S IPsec IKEv2 VPN connections are distributed across members
of an ASA cluster providing scalability. Distributing VPN connections across the members of a cluster
allows both the capacity and throughput of the cluster to be fully utilized, significantly scaling VPN
support beyond Centralized VPN capabilities."
This means that you can change your design to a simpler HA pair with active/passive ASA if your destination peer is only one.
Hope to help
Giuseppe
07-07-2023 10:57 AM
Hello Giuseppe,
I miss type sorry for that. I have 2 ipsec server (on the cloud) and these ipsec servers has their own vpn servers with fallback settings.
When I lost one of the ipsec or vpn server (both are on cloud), the client automaticly regenerates the connection via fallback tunnel.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide