We are going to install two ASA 5520 boxes with HA ( Active-Active or Active-Passive )
The boxes include 50 context licenses(virtual Firewalls) and SSL VPN licenses 750 Nos. each.
IS it impossible to use VPNs and contexts licenses with HA?
If you are configuring the ASA firewalls in Multi context mode , then you cannot use the features like VPN, dynamic routing,etc.
If you go for Active/Active HA, you must have multiple contexts and so IPSec or SSL VPN cannot be enabled.
Well its obviously not 'same', Active Active lets you load share the traffic across the two firewalls, which is a better use of resources. However sometimes it makes it pretty difficult to troubleshoot network problems. If your primary WAN/internet link satisfies your needs you can go with Active/Passive. The same would also be true for the ASA throughput. If the throughput of one firewall suffices, you can go for Active/Passive. However to run VPNs this is your only choice on the Cisco Platform.
In Active/Passive mode you can use VPNs. However to run virtual firewalls you have to go into 'mode multiple'. As soon as you do that, you have say bye-bye to VPNs,Dynamic routing and some other features.
How come Cisco ASA cant support VPN's in multi-context mode if you dedicate physical interfaces with different public IP's for each firewall.
I was thinking of integrating our office FW with our new production ASA 5520 and do a virtual a/s setup.
But killing VPN support isnt even an option.
Cisco must fix this imo :)
Good news everyone
Talked with our companys account manager and he informed me that VPN support is being worked on and should be released during 2008.
Let get something clear here:
- Active/Active in ASA will NOT provide load-sharing from the same source. For
example, if you have a host 192.168.1.1 behind
a pair of ASA in Active/Active mode, load-sharing will not be possible by splitting
the traffic from host 192.168.1.1 through both
ASA. ASA in Active/Active mode is like HSRP
with multiple groups.
Others Firewall vendors such as Checkpoint
and/or Nokia have IPSO clustering and ClusterXL that will allow load-sharing through
multiple firewalls from the same source. Checkpoint can do up to 32-node clusters. In other words, you can load-sharing traffics through 32 nodes from the same source, and that you can terminate VPN in Active/Active
mode as well. These features have been
available for almost 5 years now.
This was a discussion, we had about a year ago.
But I think still we are not getting the solution. Hope that I m correct.
Still we can t create IPSec VPN tunnels etc in Multi context mode.
We are facing problems, because CISCO has not going to provide this feature.
Can anybody informs, if there are any updates?