AnyConnect failover

networking_nwis · ‎11-28-2013

Hi,

I am building a AnyConnect IPSec solution, and have a question about backup servers. I understand that if I input the details of my backup link, then in the event of a failure at the primary this will be used. My question is more about capacity.

As you can see I have a primary and backup link. Now they terminate into two separate DMZs, which don't have direct layer2/3 connectivity. So I am aiming to create the same profile on both ASAs, with a Primary, and Backup server defined. Now potentially I have more users, than I can licence on a single ASA, so if that is full, will that be seen as not available to new clients, so they then are forced to connect to the backup site?

So what needs to happen for clients to use the backup link?

Thanks in advance,

Mike.

Marius Gunnerud · ‎11-28-2013

Hi,

What type of failover are we talking here? Active/Active, Active/Standby? In either of these two you would run into issues as a failover will not occure unless there is a link failure. The Active Active should run fine until a failover occurs or you again go over the licensed user limit as you could have the option of splitting the traffic between the two ASAs. Active Standby would not help at all if you have more users than that the license permits.

You could configure your ASAs in a cluster, but that would require ASA5585-X and a specific license for clustering. If you have that then you dont have a limit on the number of users anyway.

Your best option is to upgrade your ASA licenses to support unlimited users.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Anthony.Herman · ‎11-28-2013

You can load balance VPN connections on the ASA.

Sent from Cisco Technical Support Android App