Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Re:High Availability in ASA5510

Hi All,

I have question as well as a problem. I want to set-up a HA for ASA5510. I wanted to design the network to achieve HA. I am attaching the present set-up of the network. At present, I have 2 ISPs connections terminating in ASA5510. The configuration is done for failover in ASA5510.

I have another ASA5510 and want to use it for HA. I needed to know the design for the set-up. I want a stateless failover since the amount of traffic is less. I don't have any ISP routers in the present network. I suppose I need 2 routers for HA and couple of switches.

One more question is that, as there are SSL VPN users, is there any way for the users to not get disconnected when one device fails.

I am very much waiting for your reply and I thank you in advance.

Regards,

Prashant K

Everyone's tags (2)
5 REPLIES
VIP Purple

Re:High Availability in ASA5510

you don't need any supporting devices for HA on the ASA. If you have the SecPlus-license, then you can activate Active/Standby Failover and the functionality you have now will work the same as before. Of cource you need mote switchports because there are now three interfaces more to connect.

And you should use statefull failover where most of the VPN-session-state is replicated to the standby ASA. There your users won't be disconnected.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re:High Availability in ASA5510

Hi Karsten,

Thanks for your reply. Can you provide design for this network.

Regards,

Prashant K

VIP Purple

Re:High Availability in ASA5510

After reading your message again it's not clear for me: Do you already have failover deployed or are you planning for the deployment?


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re:High Availability in ASA5510

Hi Karsten,

I haven't still deployed it. I am planning to deploy it. I have attached 2 proposed topologies(LAN Pool and WAN Pool). Kindly let me know your feedbacks on this.

Regards,

Prashant K

VIP Purple

Re:High Availability in ASA5510

ok, then start with the following document:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_overview.html

First implement statefull Acive/Standby failover as described in the config-guide. With that you have the ASA-High-Availability and your VPN-Sessions are also replicated.

As a second step you could extend your setup with the WAN-Routers to use both ISPs simultaneously. But be aware that this needs a more complex configuration with policy-based routing. You need to ensure that the traffic always leaves through the ISP where the traffic also entered the network.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
516
Views
0
Helpful
5
Replies