active/active ASA 8.3 with VPN

Unanswered Question
Feb 17th, 2009
User Badges:

I was wondering if I can do an active/active setup and still use Remote Access IPSEC VPN's with two ASA 5550's. I hear that you can't but if that is true are there any workarounds? I don't care if the VPN tunnels don't failover, I just want it so that if one ASA fails over then the other one will pick up for regular traffic, but for VPN I don't care if it just uses one ASA or the other as long as it can use one of them should one ASA fail.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Syed Iftekhar Ahmed Tue, 02/17/2009 - 13:53
User Badges:
  • Blue, 1500 points or more

For Active/Active, you need to enable multiple contexts. You need to make some contexts active at one ASA & remaining contexts active on the other ASA.

Multiple context mode does not support these features:

* Dynamic routing protocols ( only static routes. You cannot enable OSPF or RIP in multiple context mode)

* VPN (IPsec / SSL)

* Multicast Routing (Multicast bridging is supported)

* Threat Detection

In Summary VPN feature cannot be configured when running ASAs in active/active topology

Syed Iftekhar Ahmed

Gerard Gacusan Thu, 02/19/2009 - 14:49
User Badges:

use active/standby instead if you'll implementing ipsec vpn in a failover scenario.

active/active is not supported so far...


This Discussion