Solved: Re: VPN ASA Load-balancing + Active/Standby

Amafsha1 · ‎04-14-2020

Hello folks. Currently have a 2110 (ASA code) VPN standalone. Thinking about adding another VPN 2110 with the same configs. Is it possible to configure VPN Load-balancing and also make them into an Active/Standby pair? I can't find much documentation except for this document I was told about in another thread about HA pairing the VPNs.

https://www.cisco.com/c/en/us/td/docs/security/asa/misc/anyconnect-faq/anyconnect-faq.html#Cisco_Reference.dita_932bcd38-9cb6-49ef-889c-40e57df87c7f

Option 2b discusses a possibility of doing Active/Standby with VPN load-balancing on 2-10 ASAs, but it does not give any configuration examples or any further detail. Not sure if i can fully validate this works just through this article. So I was wondering if anyone else has had a similar setup that worked.

Francesco Molino · ‎04-16-2020

Ok noted i get your point.
If you have 2 firewalls, and if 1 goes down the other will continue to serve all vpn but sessions that were on the failed one will be gone and users will have to log back in. They will be terminated then on the secondary.

If you don't want any lost of vpn sessions during a hardware crash, you'll need to configure them as HA. In that case vpn sessions will be maintained.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎04-14-2020

Hi

FTD isn't supported but asa is. Your firepower 2100 uses asa code so the vpn load balancing configuration will be the same as an asav for example.
You can't have ha and vpn load balancing at the same time.
However, if you have 2 HA pairs, you can use vpn load balancing. 1 HA pair will be vpn "master" and the other HA pair will be "secondary". Configuration remains the same as a standard vpn load balancing.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Amafsha1 · ‎04-16-2020

correct, I'm using ASA code.

let's say I only configure vpn load-balancing. If the master member goes down, the secondary will pick up the connections from there on correct? so in some ways it provides a little redundancy?

Francesco Molino · ‎04-16-2020

If you have your ha in a vpn load balancing cluster with another firewall or ha let's assume.
In your local ha, primary will share vpn based on load balancing. If it goes down, all vpns are maintained in the secondary and this secondary will also be part of the VPN load balancing cluster. Yes you will have redundancy.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Amafsha1 · ‎04-16-2020

Thank you. But I think what you are saying is a config option with more than 2 physical firewalls. I only have a total of 2 that I can use. So I'm asking if I have only a total of 2 physical firewalls and I configure VPN LB between them, I still get redundancy correct? If Master goes down, the second will pick up the connections?

Francesco Molino · ‎04-16-2020

Ok noted i get your point.
If you have 2 firewalls, and if 1 goes down the other will continue to serve all vpn but sessions that were on the failed one will be gone and users will have to log back in. They will be terminated then on the secondary.

If you don't want any lost of vpn sessions during a hardware crash, you'll need to configure them as HA. In that case vpn sessions will be maintained.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question