Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Cluster site-to-site VPN

Hi,

we want to deploy four firewalls in cluster  in individual interfaces mode. Because we are using individual interfaces mode each interface will have a different IP address.

As the site-to-site VPN is a non-cluster feature, VPN traffic will only be managed by the Master of the cluster.

If the Master switch fails, the IP address of the interface  of the new Master will be different, how can the site-to-site VPN recover in the new master Switch?

Which other option I would have to achieve this setup? there is no virtual interface? like a master virtual IP? or any kind of loopback interface?

Thanks a lot.

REgards,

J

 

 

4 REPLIES

Hi Jordi,I am pretty confused

Hi Jordi,

I am pretty confused with the term cluster here....

If you are going to use ASA as an standalone.... then on the other site end you can mention like this in your crypto map configs... so that ASA1 to 4 with different peer ip address can be connected using this command line.... i am sure for dual wan it works well... i am not sure for the quadra WAN here....

 

crypto map test 20 set peer 1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4

Dual WAN Site to Site:

http://cuckoonetworks.blogspot.in/

 

Regards

Karthik

 

New Member

Hi Karthik, thanks for the

Hi Karthik,

 

thanks for the answer I will need to think about it.

 

from the ASA modes:

- Active/Passive

- Active/Active

- CLuster (since 9.0 ASA) --> this is my cluster. Mine is between DCs inter-site cluster so since 9.1

 

Do you think it will work in my scenario?

 

thanks a lot.

 

Regards,

 

Jordi

New Member

Hi Karthik,that command looks

Hi Karthik,

that command looks very good for the solution I am looking for. My big question with the ASA cluster is if all the VPNs will be UP or only the VPN pointing the Master unit will be UP...

But even if the 4th links are UP, the traffic will always go from left to right to the first available peer, right?

There is no need for ip SLA to know that the other ASA is down? How it monitors if the first IP was down and then it got back UP? It is preemptive?

 

thanks a lot.

 

REgards,

 

J

 

 

 

Hi, Can you update your

Hi,

 

Can you update your sample design how the site to site is connected for you? so that i can suggest for a solution....

 

yes in that blog ip sla is missing, i will add in the same blog....

 

Regards

Karthik

57
Views
5
Helpful
4
Replies