ASA VPN loadbalancing and Firewall failover question

Answered Question
acharyr123 Mon, 10/08/2007 - 21:14
User Badges: is possble to setup 2 ASA 5520 in A/S mode. But Load balancing will not take place.

In Active/Active mode this facility can be availed.

adam.miller Fri, 12/21/2007 - 11:03
User Badges:

What about VPN Load Balancing specifically? In the document located here:

It says "Note: VPN failover is not supported on units that run in multiple context mode. VPN failover is available for Active/Standby Failover configurations only."

Active/Active requires multiple contexts. Therefore, VPN Failover will not work in Active/Active. But it does not say anything about VPN clustering or load balancing. Which is the functionality I believe he meant. VPN Clustering is covered here:

But it says in the Requirement sections "VPN users are able to connect to all ASAs with the use of their individually assigned public IP address."

It's saying that each ASA having it's own individually assigned public IP is a requirement for VPN clustering. Therefore, how could it be possible using Active/Active failover?

Roman Rodichev Fri, 08/22/2008 - 13:43
User Badges:
  • Gold, 750 points or more

Confirmed and tested

You can not do VPN load balancing if you have failover enabled. If VPN load balancing is enabled and then you enable failover, VPN load balancing databases loses the standby peer.

The following statement in cisco's ASA config guide is NOT true:

"The security appliance also provides load balancing, which is different from failover. Both failover and load balancing can exist on the same configuration."

And I'm sure they are referring to VPN load balancing and not to Active/Active load balancing, because the URL link after that statement goes directly to the VPN load balancing section of the ASA configuration guide

This means that if a customer wants to get a pair of ASAs for firewalls and also wants to use SSL VPN, he must buy twice as many SSL VPN licenses. The only other way is to get a second pair of ASAs just for VPN.

I've asked many cisco folks about this and no one seems to know when this licensing issue is going to get resolved. Many of my customers shy away from SSL VPN just because of this issue.


This Discussion