05-31-2012 07:52 PM
Hi,
We are configuring a remote access vpn using two asa's. these asa use radius server for authentication
& has ACS connected. few doubts on this setup:
1. what attribut needs to be enabled on cisco ACS for ASA to work with the required AD groups.
2. asa's has been configured for vpn load balancing. how do we test both ASA's for load balancing or failover
using a test switch.
Thanks in advance.
Solved! Go to Solution.
06-01-2012 03:04 PM
Hi,
The priority is to define who's the Master, if it fails the next one with the higher priority will take the role of the Master, but that is not failover. If you still need to have a mechanism to ensure network availability during a hardware or software failure, a Failover pair needs to be configured.
VPN load-balancing is not failover.
Sent from Cisco Technical Support Android App
05-31-2012 08:17 PM
Sent from Cisco Technical Support Android App
05-31-2012 08:27 PM
both asa's are not connected to the network. it is in staging & configuration phase.
hence wanted to know the answers to above two queries.
Thanks.
05-31-2012 08:25 PM
Hi!
Basically to authenticate against Radius you need to create the Radius client on the ACS / Radius server and configure the server instance on the ASA...
To authorize the users you can use attribute 25.
To test the vpn load-balancing with one SW, you can connect the outside interface to the one vlan and the inside to another vlan (both ASAs)...
Then you can test the settings.
Please let me know.
Sent from Cisco Technical Support Android App
05-31-2012 09:33 PM
Javier, server instance groups has been created on the asa. however, what attribute & where exaclty under ACS will i need to enable the attribute on ACS so the asa's and acs can work together.
Second question, there is a failover ( active/standby ) option & a vpn load balance option in the asa. If i only enable vpn load balance and assign each asa a different priority, will the asa's still be able to do a failover in case one of them fails Or is it necessary to configure active/standby failover also even if load balance is configured.
Thanks again.
06-01-2012 05:52 AM
Hi,
1)
In order to authenticate there is no need to define any attribute, I just want to make sure it is clear.
On the other hand, to define different attributes or restrictions according to the group in AD you can use the Radius attr 25.
To configure it on ACS, please check on this link:
On the ASA side, all you need is to me make sure that the group-policy exists.
2)
Failover pair can not load-balance sessions between each other.
Failover pair can be in load balancing with one or many other units (those units can run failover, but they will be seen as one unit from the load-balancing point of view).
Please let me know.
Thanks.
06-01-2012 09:12 AM
Thanks Javier,
A last query on failover though, i have configured vpn load balancing on both asa's. Do i need to configure active/standby failover also.
Will load balancing alone cause one unit to assume active unit if there is any failure on the other unit.
Thanks.
06-01-2012 09:36 AM
Hi
No VPN Load-balancing does not offer any kind of failover.
Sent from Cisco Technical Support Android App
06-01-2012 09:51 AM
But i understand it has this priorities assigned to it, so in case one fails the other takes over based on the priority.
Isnt that the case? & would that not imply a sort of failover taking over for the failed unit.
If the above is incorrect, does it mean we still have to configure usual firewall failover feature even though load balancing has been configured.
Thanks.
06-01-2012 03:04 PM
Hi,
The priority is to define who's the Master, if it fails the next one with the higher priority will take the role of the Master, but that is not failover. If you still need to have a mechanism to ensure network availability during a hardware or software failure, a Failover pair needs to be configured.
VPN load-balancing is not failover.
Sent from Cisco Technical Support Android App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide