Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
386
Views
0
Helpful
3
Replies

VPN Clustering

Go to solution
johng231
Level 3
Level 3

‎10-20-2010 07:40 AM - edited ‎03-11-2019 11:57 AM

Hello Everyone,

We're planning on purchasing 2 ASA5510-SEC-BUN-k9 for replacing a VPN 3005 concentrator and a PIX 515E firewall.

We want to have the 2 ASA(s) in active/standby failover and enable the VPN cluster for remote VPN access only. Is this possible to perform?

Thanks in advance !

John

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to johng231

‎10-20-2010 08:31 AM

John,

Only active unit in failover can participate in VPN load balancing.

So you cannot have load balancing and failover running on same two boxes.

That limitation has not been lifted so far, (speculation begins) mostly because of the implementation of failover, where stateful updates go from one (active) box to the other (standby) and not both ways as would be required in failover-load-balancing scenario(speculation ends)

Marcin

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-20-2010 08:04 AM

John,

What do you mean by cluster?

Two ASAs can either be in failover or be in load balancing cluster (or form a failover and being in that state become part of VPN load lanacing cluster with third ASA).

In either of the scenarios: yes the ASA will be able to terminate RA only (noth IPsec and SVC), clientless access is also considered remote access.

It's quite standard and widely deployed scenario en par (and better) with vpn3k and PIXes

Marcin

0 Helpful

Go to solution
johng231
Level 3
Level 3
In response to Marcin Latosiewicz

‎10-20-2010 08:11 AM

well I want to have redundancy on the ASA(s) so I plan on setting it up in active/standby failover, I also want to use the VPN cluster feature to loadbalance remote IPSEC connections between both devices instead of one just sitting there cold. Can you have this type of design ?

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to johng231

‎10-20-2010 08:31 AM

John,

Only active unit in failover can participate in VPN load balancing.

So you cannot have load balancing and failover running on same two boxes.

That limitation has not been lifted so far, (speculation begins) mostly because of the implementation of failover, where stateful updates go from one (active) box to the other (standby) and not both ways as would be required in failover-load-balancing scenario(speculation ends)

Marcin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card