Nexus n9k VPC setup with Active/Active ASA ipsec devices

Ozy · ‎07-03-2023

Hello!

I'm trying to create a H.A system by using 2x Nexus 9000 C93180YC-FX3 and 2x Cisco ASA5515-X ipsec

Please check the architecture I've designed:

Note: I'm not experienced network engineer. I know Switch but I don't have any experience with ASA ipsec devices. Thats why I have to ask too many different questions.

My first question is: my architecture solid and correct?

Switch side:
I have only 1 vlan with x/20 subnet. I want to create a default gateway on switches because I want to be fast and don't need ipsec devices for internal routing.

Switch configuration:

1- With VPC setup, How can I create default gateway for a vlan on the VPC domain and route it to Active/Active ipsec devices with loadbalancing?

2- What is your recommendations and special settings if we need?

ASA configuration:

1- How I should configure the ASA devices for active/active cluster setup?

2- I have 1 internet uplink for each ipsec. How should I configure these interfaces?

3- The internet uplinks came from an internal switch, how should I configure these links. With Active/Active stup, we will have 1 outside ip and 2 ipsec devices. I think I need a special setting for this type of usage. Do we need BGP or any other special settings?

4- For ipsec tunnel, I have 1 destination ipsec server but 2 source ipsec device. How can I configure the tunnel?

marce1000 · ‎07-03-2023

- Checkout this presentation : https://community.cisco.com/t5/data-center-and-cloud-knowledge-base/quick-start-guide-asa-cluster-on-nexus/ta-p/3647341?attachment-id=130418

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

MHM Cisco World · ‎07-04-2023

you want to config ASA active/active multi context or active/active cluster ?

Ozy · ‎07-04-2023

Active/Active cluster. I don't need multi context.

MHM Cisco World · ‎07-05-2023

OK, so it cluster
cluster need CCL.
your topology is OK
Port channel from each ASA to both SW (NSK vPC)
single link to outside.

Ozy · ‎07-06-2023

OK, so it cluster // Active/Active cluster yes.
cluster need CCL. // I will research it thanks.
your topology is OK // Good to hear
Port channel from each ASA to both SW (NSK vPC) // complete
single link to outside. // I have one WAN link for each ASA devices. I think I have to create something like port-channel to be acting as a one for WAN switch right? Do I need to create port-channel between ipsec1+2 and WAN switch port 1+2 ?

MHM Cisco World · ‎07-07-2023

ONE by ONE friend my ASA not support cluster if it was I will happy to share config.
OUTside is TWO or ONE, according to topology above it only ONE, please share last topology you will use.

Ozy · ‎07-06-2023

The next step is configuring the two ASA 5515-X ipsec devices.
device 1: Cisco Adaptive Security Appliance Software Version 9.6(2)
device 2: Cisco Adaptive Security Appliance Software Version 9.1(1) <system> Device Manager Version 6.6(1)

I decided to upgrade firmwares and the latest firmware is this:

Cisco Adaptive Security Appliance Software for the ASA 5515-X, and ASASM. 17-May-2023
asa9-12-4-58-smp-k8.bin

Ipsec port map is ready:

After firmware upgrade, I will configure the devices.
I couldn't find a free time to read deployment guides. I need more information.
1- Active/Active, it is complicated but also possible, I think it is worth it to duble the performance and reduce the latency.
2- shared wan ip
3- shared ipsec gateway
4- basic firewall rules to be safe and secure for ipsec tunnel and its users.
5- Advanced firewall and nat rules for management
6- Load balancing

Giuseppe Larosa · ‎07-07-2023

Hello @Ozy ,

>> 4- For ipsec tunnel, I have 1 destination ipsec server but 2 source ipsec device. How can I configure the tunnel?

if you have a single destination for IPSEC site to site VPN the complex cluster setup is not going to provide you any benefit in comparison with an HA Active/Passive pair.

I will report for your reference an extract from ASA 9.9 configuration guide about limitations with clusters :

"VPN and Clustering on the FXOS Chassis
An ASA FXOS Cluster supports one of two mutually exclusive modes for S2S VPN, centralized or distributed:
• Centralized VPN Mode. The default mode. In centralized mode, VPN connections are established with
the control unit of the cluster only.
VPN functionality is limited to the control unit and does not take advantage of the cluster high availability
capabilities. If the control unit fails, all existing VPN connections are lost, and VPN connected users see
a disruption in service. When a new control unit is elected, you must reestablish the VPN connections.
When you connect a VPN tunnel to a Spanned interface address, connections are automatically forwarded
to the control unit. VPN-related keys and certificates are replicated to all units.
• Distributed VPN Mode. In this mode, S2S IPsec IKEv2 VPN connections are distributed across members
of an ASA cluster providing scalability. Distributing VPN connections across the members of a cluster
allows both the capacity and throughput of the cluster to be fully utilized, significantly scaling VPN
support beyond Centralized VPN capabilities."

This means that you can change your design to a simpler HA pair with active/passive ASA if your destination peer is only one.

Hope to help

Giuseppe

Ozy · ‎07-07-2023

Hello Giuseppe,

I miss type sorry for that. I have 2 ipsec server (on the cloud) and these ipsec servers has their own vpn servers with fallback settings.

When I lost one of the ipsec or vpn server (both are on cloud), the client automaticly regenerates the connection via fallback tunnel.