Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA Cluster site-to-site VPN

Hi,

I have 2 ASA firewalls in 2 DCs and I want to upgrade them to cluster the 4 firewalls into 1 logical firewall.

My question is about site-to-site VPN.

1- The master will handle the site-to-site VPNs,  but if the master firewalls fails, then a new master firewall will be re-elected and then the site-to-site VPN connections will be automatically reconnected at the new master firewall or not?

2- In case it needs to be manually reconnected it means that I will need to put configuration on the new master firewall after the old firewall failed?

3- Which kind of Site-to-site VPN I will be able to do with ASA clustering:

 -DWVPN?

- IPSEC VPN?

- Both?

Thank you very much for your time and attention.

Regards,

J

 

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

No, when all units share a

No, when all units share a single config (as stated in the documentation), then all ASAs in the cluster have the config for the VPN. With that, the new master should be able to build the VPN again without any manual tasks.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
4 REPLIES
VIP Purple

Again based on the

Again based on the documentation, the cluster members share a single config and centralized features have to reastablish on the new master after the original one fails.

For you question 3): The ASA doesn't support DMVPN at all. You have to use pure IPSec or handle Site-to-Site VPNs on a device that has better capabilities like ISR G2 or ASR.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Hi Karsten,thanks for te

Hi Karsten,

thanks for te reply. Sorry that I have limited english skills, just to verify I understood correctly.

You mean that if the master fails I will need to go to the new master firewall and configure the site-to-site tunnel?

Thanks

J

VIP Purple

No, when all units share a

No, when all units share a single config (as stated in the documentation), then all ASAs in the cluster have the config for the VPN. With that, the new master should be able to build the VPN again without any manual tasks.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Thanks a lot Karsten for the

Thanks a lot Karsten for the explanation, now I understood.

Regards,

J

728
Views
0
Helpful
4
Replies
CreatePlease to create content