here is the show ver output of my 2xASA5520. I will be configuring Site-to-Site VPNs on the ASA. My plan is to have one unit as a Primary unit and the other as a Secondary (standby) unit. Will my VPNs work with the current failover mode (Active/Active) if I proceed to configuring the VPNs?
Solved! Go to Solution.
If you enable Stateful Failover, then VPN tunnels should failover in an active/standby configuration.
That said, in the real world I've seen problems with Firewall failover causing problems with VPN tunnels. Almost always the problem is with the tunnels that are terminated by older Cisco equipment or non-cisco equipment. I.e. Pix 501, 821 routers, etc. But in VPN tunnels between ASA's it seems to failover the tunnel just fine.
When the ASA is configured for security contexts or Active/Active stateful failover, IPSec or SSL VPN cannot be enabled. Therefore, these features are unavailable.
So in my case, if the ASAs are on a single security context and failover is Active/Active, what do I do, if I want to also run IPSEC and SSL VPNs on these firewalls?
If your firewall is in single context mode, you should have no issues with failover and VPN. You can check by entering "show mode". You will see something similar to "Security context mode: single".
The Active/Active text in the output of "show ver" is simply saying that you are licensed to use Active/Active mode, which is only available in multiple context mode.
I'd recommend that you upgrade the software image on your ASAs to a later release before you deploy them.
If you are deploying WebVPN features, you will want an 8.X release. 8.0.4 has been the most stable for me, though I have had to move certain clients to an interim build to resolve issues with authentication to CIFS servers. 8.2.1 is the most current release and I have not had any issues with it - so far