Solved: And if it's more about

v.dumont · ‎05-02-2014

I have a pair of Asa 5520 running active standby failover. Can I use both these machines in a ssl vpn loadbalancing cluster?

Marvin Rhoads · ‎05-03-2014

No. When an active/standby pair is part of a VPN cluster, the standby unit is still standby - it won't be actively terminating end user sessions. Only the active (and non-failover) cluster members will be doing so.

View solution in original post

Karsten Iwen · ‎05-03-2014

Yes, a vpn-loadbalancing-cluster member can be a standallone unit or an A/S faoilover unit. It's also allowed that some members are FO and others are standalone.

You find more information on that in the config-guide: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_params.html#wp1048834

v.dumont · ‎05-03-2014

Could I just use the failover pair? No third asa?

Marvin Rhoads · ‎05-03-2014

No. When an active/standby pair is part of a VPN cluster, the standby unit is still standby - it won't be actively terminating end user sessions. Only the active (and non-failover) cluster members will be doing so.

Karsten Iwen · ‎05-03-2014

And if it's more about scalability for more peers, then you can run a VPN-cluster with just two ASAs.

ASA 5520 Active standby and ssl vpn loadbalancing