Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1092
Views
0
Helpful
2
Replies

Multi-Site ASA SSL and IPSEC Active/Passive Failover

bshellrude
Level 1
Level 1

‎11-08-2017 08:20 AM - edited ‎03-12-2019 04:43 AM

Hello All,

I'm working on a solution for a client, whereby they have two two sites, with sub ms connectivity and diverse paths (multiple dedicated fibers/wavelengths taking different physical paths through the city, diverse building entrances, etc...), and would like to migrate to a solution where the two ASA's they have in an active/passive configuration can be split between the locations.

 

The caveat is that aside from the failover links themselves, they (and I) don't want to stretch the outside/inside subnets between the sites. The original thought was to use a loopback or virtual IP to terminate traffic, and use BGP to advertise that VIP/interface depending on who's active (as BGP will only be active on the active ASA), and maintain config sync and member health using two diverse failover links.  Something anycast-"ish"

 

I realize this is an unsupported/non-standard configuration... but I'm wondering if there is any way to do this.

Limitations I've run into so far

- ASA doesn't support loopbacks

- Because the outside network isn't shared between sites, non-monitored external interfaces on two different subnets would be required

- I tried setting up a same-security-level subnet that is shared between sites, if only for a monitored interface, to terminate VPN traffic on... but I keep getting "unable to find egress interface"

 

So yeah... Any bright ideas?

Labels:
0 Helpful
2 Replies 2

Mohammed al Baqari
Level 11
Level 11

‎11-08-2017 09:24 AM

Hi,

Why dont you run each asa as seperate unit (meaning not active/standby).
Then configure routing between asa's and uplink nodes and let routing
decide which site takes over using route metrics. This will take care of
failover as well using routing updates
0 Helpful

bshellrude
Level 1
Level 1
In response to Mohammed al Baqari

‎11-08-2017 09:56 AM

Hi, thanks for the reply and suggestion.  Yeah I'd already considered that, however one of the design goals is to not have to manage two separate devices/policies/configurations. Ideally the config is replicated... otherwise yes, using routing makes things much simpler/easier and less restrictive.

 

On the other hand, while it does make things pretty straight forward with regards to SSL/Anyconnect tunnels... replicating/maintaining 50+ S2S configs/shared keys/etc... could become cumbersome...

 

Are there any products (cisco or third party) out there that might handle and/or help with this?

0 Helpful
Customers Also Viewed These Support Documents