Point-to-Point IPSEC VPN with ASA Active/Standby pair

Matt Craig · ‎10-29-2012

Can I establish an endpoint of a point-to-point IPSEC VPN tunnel on an ASA 5540 Active/Standby failover pair and expect the tunnel to failover to the Standby unit in the event the Active one fails? Are there are caveats or notable behaviors in this setup/senario?

Julio Carvajal · ‎10-29-2012

Hello Matt,

Yes, that is the whole purpose of the active/standby scenario for VPN on the ASA.

VPN failover only supported on active/standby ( *** No active/active support **** )

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

david.tran · ‎10-29-2012

Your statement of "VPN failover only supported on active/standby ( *** No active/active support **** )" is NOT true. Check this out this link: http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.pdf

on page 17 it stated "Site-to-site VPN tunnels are now supported in multiple context mode". Isn't "multiple context mode" mean active/active?

Julio Carvajal · ‎10-29-2012

Site-to-Site VPN in multiple context mode Site-to-site VPN tunnels are now supported in multiple context mode.

VPN is not supported on active/active, Multiple context does not mean active/active.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

david.tran · ‎10-29-2012

In order to be in Active/Active, don't you have to put the ASA in multiple context mode?

Therefore, when it said "Site-to-site VPN tunnels are now supported in multiple context mode", does it mean the the ASA cluster is active/active at that point?

Julio Carvajal · ‎10-29-2012

Hello,

In order to be in Active/Active, don't you have to put the ASA in multiple context mode?

Yes, that is true

But multiple-context also support active/standby This is a regular question most of the customer have...

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC