ASA5520 load sharing vpn

Unanswered Question
Aug 12th, 2010

Hi,

we want to configure our 2x ASA5520 to provide vpn-ssl access for our customers.

Is better to configure them as a VPN cluster in load balance or to setup them as a active/active cluster.

What are the difference between this 2 mode?

Thank you.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Todd Pula Thu, 08/12/2010 - 07:38

An active/standby failover cluster will provide for hardware redundancy but only one ASA will be active at any one time.  A load balancing cluster will enable multiple member ASAs to service remote access VPN connection requests.  The docs below cover both features in detail.

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/ha_active_standby.html

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/vpnsysop.html#wp1048834

Todd Pula Thu, 08/12/2010 - 08:03

There are no limitations regarding firewall policies or NAT.  You will, however, need to independently manage the overall configuration for each ASA in the cluster.  For example, if you configure a custom WebVPN portal page, you will want to ensure that this same object is positioned and configured on all of the member ASAs so that the connecting users get the same experience.

Actions

This Discussion