ASA 5520 virtual firewalls & SSL VPN

Unanswered Question
Aug 17th, 2008

We are going to install two ASA 5520 boxes with HA ( Active-Active or Active-Passive )

The boxes include 50 context licenses(virtual Firewalls) and SSL VPN licenses 750 Nos. each.

IS it impossible to use VPNs and contexts licenses with HA?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dhananjoy chowdhury Sun, 08/17/2008 - 22:45


If you are configuring the ASA firewalls in Multi context mode , then you cannot use the features like VPN, dynamic routing,etc.

If you go for Active/Active HA, you must have multiple contexts and so IPSec or SSL VPN cannot be enabled.

Farrukh Haroon Mon, 08/18/2008 - 11:17

Well its obviously not 'same', Active Active lets you load share the traffic across the two firewalls, which is a better use of resources. However sometimes it makes it pretty difficult to troubleshoot network problems. If your primary WAN/internet link satisfies your needs you can go with Active/Passive. The same would also be true for the ASA throughput. If the throughput of one firewall suffices, you can go for Active/Passive. However to run VPNs this is your only choice on the Cisco Platform.



kosalasuranjith Mon, 08/18/2008 - 19:13

I mean that if we configure two ASAs as Active/ Passive mode, Can't we still use virtual firewalls, and VPNs??

Farrukh Haroon Mon, 08/18/2008 - 21:20

In Active/Passive mode you can use VPNs. However to run virtual firewalls you have to go into 'mode multiple'. As soon as you do that, you have say bye-bye to VPNs,Dynamic routing and some other features.



azore2007 Tue, 08/19/2008 - 00:02

Hi all

How come Cisco ASA cant support VPN's in multi-context mode if you dedicate physical interfaces with different public IP's for each firewall.

I was thinking of integrating our office FW with our new production ASA 5520 and do a virtual a/s setup.

But killing VPN support isnt even an option.

Cisco must fix this imo :)

Farrukh Haroon Tue, 08/19/2008 - 00:25

Yes I totally agree, we must all push Cisco for this. You should start with your account manager.



azore2007 Wed, 08/20/2008 - 03:10

Good news everyone

Talked with our companys account manager and he informed me that VPN support is being worked on and should be released during 2008.

cisco24x7 Wed, 08/20/2008 - 03:54

Let get something clear here:

- Active/Active in ASA will NOT provide load-sharing from the same source. For

example, if you have a host behind

a pair of ASA in Active/Active mode, load-sharing will not be possible by splitting

the traffic from host through both

ASA. ASA in Active/Active mode is like HSRP

with multiple groups.

Others Firewall vendors such as Checkpoint

and/or Nokia have IPSO clustering and ClusterXL that will allow load-sharing through

multiple firewalls from the same source. Checkpoint can do up to 32-node clusters. In other words, you can load-sharing traffics through 32 nodes from the same source, and that you can terminate VPN in Active/Active

mode as well. These features have been

available for almost 5 years now.

kosalasuranjith Mon, 03/08/2010 - 20:19

Dear All,

This was a discussion, we had about a year ago.

But I think still we are not getting the solution. Hope that I m correct.

Still we can t create IPSec VPN tunnels etc in Multi context mode.

We are facing problems, because CISCO has not going to provide this feature.

Can anybody informs, if there are any updates?




This Discussion