ASA 5505 high availability infrastructure help needed.

johnverdon · ‎03-12-2009

Hi,

I need some help regarding the best way forward for creating a site to site vpn link that has failover redundancy.

Currently I have 2 sites that both have 2 ADSL lines installed, the routers at both ends are simple ADSL to ethernet routers with no special failover functions. I am planning to install at each site 2 ASA5505 with security plus bundle firewalls, and configure them such that if one of the adsl lines at either site fails the vpn tunnel will automatically failover to the other route.

Alternatively, can I achieve a similar level of fault tolerance using just 1 ASA firewall at either end of the 2 adls lines. I understand that this would make either firewall a single point of failure but still provide redundancy of the adsl links which are generally more prone to faults than the firewalls. if it can be done using just 1 ASA at each site, is the ASA 5505 capable or would I need to jump up to an ASA 5510?

What is the difference between the Stateless A/S of the 5505 and the A/A A/S high availability of the 5510?

Hope somebody can help me with this,

Regards

John.

Collin Clark · ‎03-12-2009

John-

The ASA supports backup public interfaces. I have never VPN'd with each, but I don't see why it wouldn't work.

https://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

A/S is active/passive meaning one box is processing data, the other is idle. In active/active, both boxes are processing data. I don't believe you can run A/A with two different public IP's though.

Hope that helps.