ASA SSL VPN - Dynamic Failover

pagrawal31 · ‎03-13-2010

I have few questions related to design of a SSL VPN solution using ASA. I have four data centers - Chicago, New York, London,and Hong Kong.Design should be such that user should automatically connects to the nearest data center depending upon his/her location. So, if a user is in America, it should connect to New York Data center and if user is in China it should connect to Hong Kong. Also, Chicago is to be used as backup for other three data centers, ie if a user in China is unable to connect to Hong Kong it should automatically fail back to Chicago. What Options would you suggest and is this even possible? I am thinking of ACE and Global site selectors but not exactly sure. Your help is appreciated.

Thanks,

PJ

Herbert Baerten · ‎03-14-2010

PJ,

if you are referring to SSL client (Anyconnect), then version 2.5 will have a new feature "Optimal Gateway Selection". This version is expected 'soon'.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-527494.html

If you mean clientless webvpn, then I guess you'll indeed need to use an external load balancer. To be honest I have no idea how those work so you may want to ask more info in the Data Center forum.

hth

Herbert

pagrawal31 · ‎03-14-2010

I am looking for both client (Anyconnect) and clientless solution. If Optimal Gateway Selection feature is not included in version 2.4 of the client what are other options to achieve this?