ASA5520 load sharing vpn

stefania.clerici · ‎08-12-2010

Hi,

we want to configure our 2x ASA5520 to provide vpn-ssl access for our customers.

Is better to configure them as a VPN cluster in load balance or to setup them as a active/active cluster.

What are the difference between this 2 mode?

Thank you.

Todd Pula · ‎08-12-2010

An active/standby failover cluster will provide for hardware redundancy but only one ASA will be active at any one time. A load balancing cluster will enable multiple member ASAs to service remote access VPN connection requests. The docs below cover both features in detail.

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/ha_active_standby.html

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/vpnsysop.html#wp1048834

stefania.clerici · ‎08-12-2010

VPN load balancing does it have any firewall, NAT,.... limitations?

Todd Pula · ‎08-12-2010

There are no limitations regarding firewall policies or NAT. You will, however, need to independently manage the overall configuration for each ASA in the cluster. For example, if you configure a custom WebVPN portal page, you will want to ensure that this same object is positioned and configured on all of the member ASAs so that the connecting users get the same experience.