Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1573
Views
20
Helpful
8
Replies

Firepower ASA cluster doesn't support AnyConnect?

WiLL-I-Am
Level 1
Level 1

‎09-07-2020 10:44 PM - edited ‎09-07-2020 11:27 PM

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/clustering_for_the_firepower_threat_defense.html

According to the cisco documentation it seems it doesn't support, so what's the reason?

what is the alternative?

should I add another firewall to inside network and forward the port to that ASA?

it also says for Site to Site

VPN functionality is limited to the control unit and does not take advantage of the cluster high availability capabilities. If the control unit fails, all existing VPN connections are lost, and VPN users will see a disruption in service. When a new control unit is elected, you must reestablish the VPN connections.

again same here then why do we do clustering? and it says when the new control unit is elected, you must reestablish the vpn connections? I thought the second a traffic is requested to be sent over that tunnel, tunnel automatically reestablishes itself, what does it referring to(I didn't get it)?

 

Labels:
0 Helpful
8 Replies 8

Rob Ingram
VIP
VIP

‎09-07-2020 11:43 PM

Hi,

Clustering is used to increase throughput and availablity, normally for large customers/sites with high throughput requirements. Depending on your requirements (throughput/connections) you can deploy ASA/FTD Active/Standby failover, this will support firewall and VPNs (Site to Site and/or Remote Access) functionality.

 

If you do use clustering for firewall functionality, then use a dedicated ASA/FTD pair in Active/Standby failover mode just for VPNs (Site to Site and/or Remote Access). It is common for large customers have dedicated ASA/FTD hardware just for VPNs.

 

HTH

WiLL-I-Am
Level 1
Level 1
In response to Rob Ingram

‎09-08-2020 02:54 PM - edited ‎09-08-2020 04:09 PM

We have a massive throughput, and I want to use clustering for this project, that way I can learn something out of it too.

Because I will be asked by our team, I should be able to explain!, "why Cisco does not support the AnyConnect on a cluster?" what's a good reason that Cisco had done this?

 

I am gonna ask my other question again, I think I didn't get what they mean in the Cisco documentation

For site to site support it says

VPN functionality is limited to the control unit and does not take advantage of the cluster high availability capabilities. If the control unit fails, all existing VPN connections are lost, and VPN users will see a disruption in service. When a new control unit is elected, you must reestablish the VPN connections.

Source: https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/clustering_for_the_firepower_threat_defense.html

 

I don't get the "you must" part, if the new control unit gets elected after a new flow of traffic on the tunnel, it automatically triggers the ASA to establish the L2L tunnel, I don't need to do anything!, or I am wrong?

thanks

0 Helpful

Ruben Cocheno
Spotlight
Spotlight

‎09-08-2020 04:59 PM

@WiLL-I-Am 

 

Using a cluster a few functions will not work as expected, which it changes the behaviour that we used to have using HA pair. In a HA pair you have aall sessions synced, since only one node is primary and the other secondary. In cluster mode, as you know all nodes are active so to keep this kind of transactions atomic only one node will process the traffic not keeping the sessions aacross the nodes. This way the cluster mode is ideal when you need to scale from the throughput perspective.

 

An alternative is using a dedidated HA pair for your VPN's site-to-site and Anyconnect if it's the case.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

WiLL-I-Am
Level 1
Level 1
In response to Ruben Cocheno

‎09-09-2020 08:27 AM - edited ‎09-09-2020 10:27 AM

 

In this topology all links are Layer 3(10 gig SFPs)

I only want to use 2110 for AnyConnect(redistribute the AnyConnect route) and L2L, otherwise it brings down the performance...

Both Cluster and HA(Active/Stand) pair participate in OSPF routing protocol, so if only the whole cluster goes down the active/stand takes the lead...

 

could you check see if any design flaws here?

image.png

Thanks

0 Helpful

Ruben Cocheno
Spotlight
Spotlight

‎09-09-2020 10:37 AM

@WiLL-I-Am 

 

I'm not a big fan of using different entry points from internet perspective, i do prefer to have the backend of your VPN HA pair connected to the FP 41xx for further inspection and have all security events in one single place. Off course there are a few pro's and cons of using it this way, but i always discuss those requirements with customers to make sure we are on track with their Internal Security Policies, etc.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

WiLL-I-Am
Level 1
Level 1
In response to Ruben Cocheno

‎09-09-2020 12:00 PM - edited ‎09-09-2020 03:15 PM

I need to have two inside data interfaces(port channels) on FP 41xx cluster, like this?

image.png

don't get me wrong I know OSPF cost manipulation is unnecessary here, but hay it's better to be safe!

Also you mentioned "for further inspection", idk how can I make the 41XX Cluster inspect this traffic, since I have to create an ACL hole on 41XX to allow a pass for 443 traffic.

is there any other way to do it?

0 Helpful

Ruben Cocheno
Spotlight
Spotlight

‎09-09-2020 02:54 PM

@WiLL-I-Am 

 

what i meant was the external interface of the VPN HA out and the backend interface connected to the FP's, so you can inspect everything that's going to your Apps/resources. Think about licensing as well, when considering about what design that you looking for. Balance is always the key.

 

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

WiLL-I-Am
Level 1
Level 1

‎09-09-2020 10:38 PM - edited ‎09-09-2020 11:05 PM

 

Like this?

this way I should put an ACL on FP 41xx to allow packets with the source of anyconnect pool ip in?

image.png

Could you elaborate a bit more on balance please? we have a high utilization at this site so the best call was to use Clustering, this way if the capacity changes in the future I can easily add another FP to the set, oh one quick question if I add 1 more module per chassis, does it increase the throughput as well not just the resiliency, is there a formula that I can calculate how much the throughput will be?

e.g. 4110 has a 35G and unlike 9300 you can't add security modules! say I have right now two 4110s, how much is my throughput? how much will it be if I add the 3rd one to the cluster?

0 Helpful
Customers Also Viewed These Support Documents