cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2647
Views
0
Helpful
11
Replies

ASA 5520 Failover Configurations

bericaleb
Level 1
Level 1

Hi Experts

here is the show ver output of my 2xASA5520. I will be configuring Site-to-Site VPNs on the ASA. My plan is to have one unit as a Primary unit and the other as a Secondary (standby) unit. Will my VPNs work with the current failover mode (Active/Active) if I proceed to configuring the VPNs?

1 Accepted Solution

Accepted Solutions

8.2.1 can support active/active and active/standby.

But it will not change between them automatically unless configured.

PK

View solution in original post

11 Replies 11

bericaleb
Level 1
Level 1

My apologies, here is the attachment.

If you enable Stateful Failover, then VPN tunnels should failover in an active/standby configuration.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

That said, in the real world I've seen problems with Firewall failover causing problems with VPN tunnels. Almost always the problem is with the tunnels that are terminated by older Cisco equipment or non-cisco equipment. I.e. Pix 501, 821 routers, etc. But in VPN tunnels between ASA's it seems to failover the tunnel just fine.

orbanattila
Level 1
Level 1

When the ASA is configured for security contexts or Active/Active stateful failover, IPSec or SSL VPN cannot be enabled. Therefore, these features are unavailable.

Hi

thanks.

So in my case, if the ASAs are on a single security context and failover is Active/Active, what do I do, if I want to also run IPSEC and SSL VPNs on these firewalls?

Does anybody has an answer to my query? Please help.

thanks.

BIC

If your firewall is in single context mode, you should have no issues with failover and VPN.  You can check by entering "show mode".  You will see something similar to "Security context mode: single".

The Active/Active text in the output of "show ver" is simply saying that you are licensed to use Active/Active mode, which is only available in multiple context mode.

I'd recommend that you upgrade the software image on your ASAs to a later release before you deploy them.

What software image would be appropriate?

If you are deploying WebVPN features, you will want an 8.X release.  8.0.4 has been the most stable for me, though I have had to move certain clients to an interim build to resolve issues with authentication to CIFS servers.  8.2.1 is the most current release and I have not had any issues with it - so far

will version 8.2.1 change the failover mode to Active/Standby?

8.2.1 can support active/active and active/standby.

But it will not change between them automatically unless configured.

PK

thankyou for the help. I will upgrade the software with the recommended version.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: