ASA5520 load sharing vpn

Unanswered Question
Aug 12th, 2010
User Badges:

Hi,

we want to configure our 2x ASA5520 to provide vpn-ssl access for our customers.

Is better to configure them as a VPN cluster in load balance or to setup them as a active/active cluster.

What are the difference between this 2 mode?

Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Todd Pula Thu, 08/12/2010 - 07:38
User Badges:
  • Silver, 250 points or more

An active/standby failover cluster will provide for hardware redundancy but only one ASA will be active at any one time.  A load balancing cluster will enable multiple member ASAs to service remote access VPN connection requests.  The docs below cover both features in detail.


http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/ha_active_standby.html


http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/vpnsysop.html#wp1048834

Todd Pula Thu, 08/12/2010 - 08:03
User Badges:
  • Silver, 250 points or more

There are no limitations regarding firewall policies or NAT.  You will, however, need to independently manage the overall configuration for each ASA in the cluster.  For example, if you configure a custom WebVPN portal page, you will want to ensure that this same object is positioned and configured on all of the member ASAs so that the connecting users get the same experience.

Actions

This Discussion