07-26-2009 04:02 PM - edited 03-11-2019 08:59 AM
Hi..
We got the two asa 5540, and we would like to establish failover between them.
but something the problem occured..
first of all, I will show you our license info.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 200
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 5
GTP/GPRS : Enabled
VPN Peers : 5000
WebVPN Peers : 10
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Enabled
UC Proxy Sessions : 24
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 200
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Disabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 5000
WebVPN Peers : 2
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
as showen above log..
two device license are difference, I know that the asa doesn't match the license each other.
they can't establish failover relation.
Our main purpose that use the asa is for IP SEC VPN connection.
if I sync just VPN-3DES-AES each other. Can I establish the VPN? don't care other item.
your comment would be appreciated.
Thank in advanced.
Solved! Go to Solution.
07-26-2009 05:41 PM
Sung, everyone's comments are accurate, but if all you want is to only have Client IPSEC VPN load balancing and fail over between two ASAs, and you are not planning to use them for firewalling/nat, then you don't need to worry about configuring failover. Just enable vpn load balancing mode. VPN load balancing mode doesn't care about matching licenses. Keep in mind that you can't have failover and vpn load balancing enabled at the same time. If you also have some site-to-site VPNs, you can separately configure both ASAs to provide it and setup remote site with backup IPSEC peer (don't forget about IGP+RRI on ASA)
Regards,
Roman
07-26-2009 05:13 PM
In order for two ASA's to sync failover all features must match 100%. So, in order for failover to sync (despite your using the ASA's just for VPN purposes), you will need to have VPN-3DES-AES, 5 Security Contexts, GTP Enabled, 10 WebVPN, and 24 UC Proxy Sessiosn on the second Firewall (along with the already matched features).
07-26-2009 05:29 PM
Sung
You can not use the ASA for VPN if you establish an active/active failover. You could use the ASA for VPN if you configure it for active/standby (and if you get all the license parameters to match as explained correctly by Kevin).
HTH
Rick
07-26-2009 05:41 PM
Sung, everyone's comments are accurate, but if all you want is to only have Client IPSEC VPN load balancing and fail over between two ASAs, and you are not planning to use them for firewalling/nat, then you don't need to worry about configuring failover. Just enable vpn load balancing mode. VPN load balancing mode doesn't care about matching licenses. Keep in mind that you can't have failover and vpn load balancing enabled at the same time. If you also have some site-to-site VPNs, you can separately configure both ASAs to provide it and setup remote site with backup IPSEC peer (don't forget about IGP+RRI on ASA)
Regards,
Roman
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: