ASA Active/Active or VPN Cluster

Unanswered Question
Feb 11th, 2009
User Badges:


We have two ASA's that will be used for VPN access. Initially only IPSec connections but eventually, we'll be using the SSL Web connections as well. I was curious which failover configuration would be more appropriate. Active/Active or the VPN Load Balancing Cluster. I was thinking the VPN cluster since they will not be used as firewalls but wasn't sure.

Thanks for any input.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Wed, 02/11/2009 - 12:45
User Badges:
  • Cisco Employee,

Have in mind that to have active active failover you need to have security contexts enabled on your ASA devices, and at the moment multiple firewall is enabled (contexts) VPN features are removed from the ASA.

bbinion80 Wed, 02/11/2009 - 13:30
User Badges:

So if I am understand what you are saying correctly, I cannot use Active/Active while using remote VPN. I'd have to use the VPN Load Balancing to utilize fault tolerance. Is this correct?

Ivan Martinon Wed, 02/11/2009 - 14:09
User Badges:
  • Cisco Employee,

You can certainly use active/standby failover along with vpn, or you can use vpn load balance it is up to your design, what you can't use is active active failover

bbinion80 Thu, 02/12/2009 - 05:59
User Badges:

Yeah I was looking at Active/Standby but my boss feels that if we are using it for VPN (IPSec and SSL) he thought one unit may be doing too much and would rather have some type of load balancing in place. So it seems the VPN cluster may be the best option.


This Discussion