Dual ISP, Active/Standby ASA, and RA VPN

fatalXerror · ‎02-03-2015

Hi Experts,

Good Day!

I am tasked to implement RA-VPN to my client and this is my first time to implement it. I need some advice from you guys regarding my design, technically my 2 ASA will be on Active/Standby each ASA is connected to ISP just like in the attached diagram which means that the 2 ASA outside interface will have different public IP address.

Now, when ASA-1 goes down or any link in that ASA goes down, it will trigger the failover and the VPN users can feel the disconnection since the ASA-1 outside IP address is different from ASA-2 outside IP address. Which means the VPN users should re-connect using the outside IP of the ASA-2 for them to be able to connect again.

Now, my client asked (and I don't know the answer) if we can configure in the ASA's outside interface a "Virtual IP" (VIP) so that the VPN users will just use the VIP in their VPN client or AnyConnect software in this way we can somehow minimize the user experience of disconnection.

Is that possible? If no, do you have any other suggestions?

Please see attached file for the diagram.

Thank you very much for your help.

niks

Karsten Iwen · ‎02-03-2015

This is a design that would be fine for an IOS-router but that doesn't really fit the ASA.

You should configure both ASAs for both ISPs. The active ASA can then handle both ISP. In the event of an ASA-failure the other ASA do do the same.

This would be the "native" ASA-way of configuring failover with multiple ISPs.

fatalXerror · ‎02-03-2015

Hi Karsten,

Good Day!

Thanks for the feedback, you mean in each ASA I will be connecting 2 ISP links? How about the interfaces connecting the 2 ISP, I should not monitor it right for the failover mechanism? Please see attached file.

Also, is there any ways on how the VPN user will not experience network downtime once the failover mechanism takes place in this setup?

Thank you very much for the super help :)

niks

Karsten Iwen · ‎02-04-2015

Yes, the ASAs should be connected as shown in the drawing.

But both interfaces should be monitored. Without that the ASA wouldn't failover to the second unit in certain scenarios.

fatalXerror · ‎02-04-2015

So even though it is monitored, only 1 ISP link is active right in the active ASA and the other ISP link is in backup?

thanks

Karsten Iwen · ‎02-04-2015

For outgoing traffic, only the primary link is used. But for incoming traffic, both ISPs can be used.

fatalXerror · ‎02-04-2015

That's asymmetric routing right? Does this cause any problems in the future?

thanks,

niks

Karsten Iwen · ‎02-04-2015

no, it's symmetric. Traffic entering on the Backup-ISP-interface will leave over the Backup-ISP-interface. That's handled by the ASA.

fatalXerror · ‎02-04-2015

thanks Karsten, I'll try it.

The interface IP address of the ASA-1 will be replicated to the ASA-2 so in the event of a failover should not be felt by the VPN user right?

thanks again for your great help.

niks

Karsten Iwen · ‎02-04-2015

That's right, the config is replicated. But be aware that other elements, like the Anyconnect-client or the vpn-profiles are not replicated. They have to be uploaded to the secondary ASA manually.

For your routing, you need two default routes:

1) the primary to your first ISP, ideally with SLA-monitoring

2) the backup to your second ISP with a higher administrative distance.