Multi-Site ASA SSL and IPSEC Active/Passive Failover
I'm working on a solution for a client, whereby they have two two sites, with sub ms connectivity and diverse paths (multiple dedicated fibers/wavelengths taking different physical paths through the city, diverse building entrances, etc...), and would like to migrate to a solution where the two ASA's they have in an active/passive configuration can be split between the locations.
The caveat is that aside from the failover links themselves, they (and I) don't want to stretch the outside/inside subnets between the sites. The original thought was to use a loopback or virtual IP to terminate traffic, and use BGP to advertise that VIP/interface depending on who's active (as BGP will only be active on the active ASA), and maintain config sync and member health using two diverse failover links. Something anycast-"ish"
I realize this is an unsupported/non-standard configuration... but I'm wondering if there is any way to do this.
Limitations I've run into so far
- ASA doesn't support loopbacks
- Because the outside network isn't shared between sites, non-monitored external interfaces on two different subnets would be required
- I tried setting up a same-security-level subnet that is shared between sites, if only for a monitored interface, to terminate VPN traffic on... but I keep getting "unable to find egress interface"
Why dont you run each asa as seperate unit (meaning not active/standby). Then configure routing between asa's and uplink nodes and let routing decide which site takes over using route metrics. This will take care of failover as well using routing updates
Hi, thanks for the reply and suggestion. Yeah I'd already considered that, however one of the design goals is to not have to manage two separate devices/policies/configurations. Ideally the config is replicated... otherwise yes, using routing makes things much simpler/easier and less restrictive.
On the other hand, while it does make things pretty straight forward with regards to SSL/Anyconnect tunnels... replicating/maintaining 50+ S2S configs/shared keys/etc... could become cumbersome...
Are there any products (cisco or third party) out there that might handle and/or help with this?
With the enhancements in ISE 3.0 for integrating with Azure AD via SAML IdP, it is now possible to leverage Microsoft Single Sign-On for multiple ISE Portals (for example Sponsor and Guest/BYOD Portals).
At the time of this writing, ISE cann...
With the enhancements in ISE 3.0 for integrating with Azure AD via SAML IdP, it is now possible to create a BYOD Flow to provide Wireless network access using an employee’s Azure AD credentials.
The table below shows the whole Cisco Security solutions + Splunk integrations add-ons. Kindly let me know if I have missed some add-ons or if there are any new updates. Thank you!
Hope this will be helpful for everyone who is looking for Splunk in...
A python based script to generate report if there are disabled rules under an Access Control Policy and an option to delete those rules in bulk.
Step 1 Download the script on PCStep 2 Make sure python3 is installed on PC and have reach...
A python based script to generate report if there are double logging on FMC ACP (logging at beginning and end), having rule action "Allow" or "Trust". (Option1 )
Also, the logging at the begging will be disabled if logging is detected for both beginning ...