09-10-2013 07:17 PM
Hi,
I have an enquiry regarding the deployment for ASA that need to support more than 10000 clients. I understand that multiple ASA would be required for it however I was wondering what may be the typical design for it? Should the multiple ASA be setup as vpn cluster/load balancing/etc...?
It would be appreciated if there are any design document for it. The present setup is a pair of ASA active/standby was wondering on how to combine the total connection if I require 15000 vpn connections; example 2 pairs of active/standby with vpn clustering/load balancing/etc...?
Thanks.
Solved! Go to Solution.
09-10-2013 11:49 PM
You are right, the vpn-loadbalancing is the technologie you should deploy for that. With that you can combine multiple devices to a load-sharing cluster. These devices can be different, for example two 5555 with two 5545 which would give you atotal of 15000 VPN-connections.
Of course you should plan for device-failure. So you could deploy 4*5555 and also if one ASA is lost you still have 15000 connections (well, at least based on the data-sheet; I wouldn't push the amount of connections to the limit).
For redundancy you could also deploy these devices also as FO-systems. 3*2*5555 would also give you redundancy.
This is all under the assumption that the users connect to the same office where the ASAs have a L2-connection to each other which is needed for VPN-loadbalancing. If the users connect through different locations, then these ASAs can't use VPN-loadbalancing unless you have a L2 connection between the loacations.
If you have multiple locations you should also think about the shared-license server which could save a lot of money if your users don't always use the same gateway.
And the last point: configure as much as possible for your AAA with a central RADIUS-server to reduce the probability of misconfiguration on multiple ASAs.
Sent from Cisco Technical Support iPad App
09-10-2013 11:49 PM
You are right, the vpn-loadbalancing is the technologie you should deploy for that. With that you can combine multiple devices to a load-sharing cluster. These devices can be different, for example two 5555 with two 5545 which would give you atotal of 15000 VPN-connections.
Of course you should plan for device-failure. So you could deploy 4*5555 and also if one ASA is lost you still have 15000 connections (well, at least based on the data-sheet; I wouldn't push the amount of connections to the limit).
For redundancy you could also deploy these devices also as FO-systems. 3*2*5555 would also give you redundancy.
This is all under the assumption that the users connect to the same office where the ASAs have a L2-connection to each other which is needed for VPN-loadbalancing. If the users connect through different locations, then these ASAs can't use VPN-loadbalancing unless you have a L2 connection between the loacations.
If you have multiple locations you should also think about the shared-license server which could save a lot of money if your users don't always use the same gateway.
And the last point: configure as much as possible for your AAA with a central RADIUS-server to reduce the probability of misconfiguration on multiple ASAs.
Sent from Cisco Technical Support iPad App
09-15-2013 09:03 PM
Hi,
Thanks for the information.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide