04-27-2006 06:00 AM - edited 02-21-2020 02:23 PM
Hello,
I was wondering if someone can answer my question regarding the following scenario. I am looking at implementing an Active/Standby pair of ASA 5510s that will terminate a site-to-site VPN to a PIX 501. My thought is that if the Active 5510 fails, I'll still be able to maintain the VPN connection to the Standby 5510. My understanding is that VPN state information is not going to transfer over to the Standby 5510, I would need an Active/Active configuration for that to happen. That being the case, in a failure scenario the PIX 501 will actually be communicating to the Standby 5510 that doesnt have any of the existing tunnel information. Ive seen instances in the past (not with ASAs at the headend) where the PIX 501 doesnt know to tear down the old tunnel and reestablish a new one. My question is, will that be the case here and is there a way around it, other than Active/Active at the headend?
Thanks!
05-03-2006 12:05 PM
Active/Standby Failover for ASA 5500
Learn how the failover feature of the Cisco ASA 5500 Series Adaptive Security Appliance provides high availability for your network. After a brief description of active/standby and active/active failover, watch a demonstration of the steps for configuring active/standby failover.
http://www.cisco.com/web/learning/le31/le29/configuring_asa_pix_security_appliances.html
05-03-2006 06:01 PM
The Admin Guide states that VPN failover is available for Active/Standby failover configurations only.
Also version 7.0 suports VPN as long as stateful failover has been configured: PLease read belwo from teh Admin Guide .. I hope it helps ... Please rate it if it does !!!
When Stateful Failover is enabled, the active unit continually passes per-connection state information to
the standby unit. After a failover occurs, the same connection information is available at the new active
unit. Supported end-user applications are not required to reconnect to keep the same communication
session.
The state information passed to the standby unit includes the following:
NAT translation table.
TCP connection states.
Table 11-3 Failover Configuration Feature Support
Feature Active/Active Active/Standby
Single Context Mode No Yes
Multiple Context Mode Yes Yes
Load Balancing Network Configurations Yes No
Unit Failover Yes Yes
Failover of Groups of Contexts Yes No
Failover of Individual Contexts No No
11-14
Cisco Security Appliance Command Line Configuration Guide
OL-6721-02
Chapter 11 Configuring Failover
Understanding Failover
UDP connection states.
The ARP table.
The Layer 2 bridge table (when running in transparent firewall mode).
The HTTP connection states (if HTTP replication is enabled).
The ISAKMP and IPSec SA table.
GTP PDP connection database.
The information that is not passed to the standby unit when Stateful Failover is enabled includes the
following:
The HTTP connection table (unless HTTP replication is enabled).
The user authentication (uauth) table.
The routing tables.
State information for Security Service Cards.
05-03-2006 06:06 PM
oope let me clean it up for you !!!
Also version 7.0 suports VPN as long as stateful failover has been configured: From the Admin Guide ..
I hope it helps ... Please rate it if it does !!!
When Stateful Failover is enabled, the active unit continually passes per-connection state information to
the standby unit. After a failover occurs, the same connection information is available at the new active
unit. Supported end-user applications are not required to reconnect to keep the same communication
session.
The state information passed to the standby unit includes the following:
NAT translation table.
TCP connection states.
UDP connection states.
The ARP table.
The Layer 2 bridge table (when running in transparent firewall mode).
The HTTP connection states (if HTTP replication is enabled).
The ISAKMP and IPSec SA table.
GTP PDP connection database.
The information that is not passed to the standby unit when Stateful Failover is enabled includes the
following:
The HTTP connection table (unless HTTP replication is enabled).
The user authentication (uauth) table.
The routing tables.
State information for Security Service Cards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide