Showing results for 
Search instead for 
Did you mean: 

Multi-Site ASA SSL and IPSEC Active/Passive Failover

Hello All,

I'm working on a solution for a client, whereby they have two two sites, with sub ms connectivity and diverse paths (multiple dedicated fibers/wavelengths taking different physical paths through the city, diverse building entrances, etc...), and would like to migrate to a solution where the two ASA's they have in an active/passive configuration can be split between the locations.


The caveat is that aside from the failover links themselves, they (and I) don't want to stretch the outside/inside subnets between the sites. The original thought was to use a loopback or virtual IP to terminate traffic, and use BGP to advertise that VIP/interface depending on who's active (as BGP will only be active on the active ASA), and maintain config sync and member health using two diverse failover links.  Something anycast-"ish"


I realize this is an unsupported/non-standard configuration... but I'm wondering if there is any way to do this.

Limitations I've run into so far

- ASA doesn't support loopbacks

- Because the outside network isn't shared between sites, non-monitored external interfaces on two different subnets would be required

- I tried setting up a same-security-level subnet that is shared between sites, if only for a monitored interface, to terminate VPN traffic on... but I keep getting "unable to find egress interface"


So yeah... Any bright ideas?

Mohammed al Baqari
VIP Advisor


Why dont you run each asa as seperate unit (meaning not active/standby).
Then configure routing between asa's and uplink nodes and let routing
decide which site takes over using route metrics. This will take care of
failover as well using routing updates

Hi, thanks for the reply and suggestion.  Yeah I'd already considered that, however one of the design goals is to not have to manage two separate devices/policies/configurations. Ideally the config is replicated... otherwise yes, using routing makes things much simpler/easier and less restrictive.


On the other hand, while it does make things pretty straight forward with regards to SSL/Anyconnect tunnels... replicating/maintaining 50+ S2S configs/shared keys/etc... could become cumbersome...


Are there any products (cisco or third party) out there that might handle and/or help with this?

Content for Community-Ad