Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site to Site VPN with Active/Standby ASA5510

Hello,

I was wondering if someone can answer my question regarding the following scenario. I am looking at implementing an Active/Standby pair of ASA 5510s that will terminate a site-to-site VPN to a PIX 501. My thought is that if the Active 5510 fails, I'll still be able to maintain the VPN connection to the Standby 5510. My understanding is that VPN state information is not going to transfer over to the Standby 5510, I would need an Active/Active configuration for that to happen. That being the case, in a failure scenario the PIX 501 will actually be communicating to the Standby 5510 that doesn’t have any of the existing tunnel information. I’ve seen instances in the past (not with ASAs at the headend) where the PIX 501 doesn’t know to tear down the old tunnel and reestablish a new one. My question is, will that be the case here and is there a way around it, other than Active/Active at the headend?

Thanks!

3 REPLIES
Silver

Re: Site to Site VPN with Active/Standby ASA5510

Active/Standby Failover for ASA 5500

Learn how the failover feature of the Cisco ASA 5500 Series Adaptive Security Appliance provides high availability for your network. After a brief description of active/standby and active/active failover, watch a demonstration of the steps for configuring active/standby failover.

http://www.cisco.com/web/learning/le31/le29/configuring_asa_pix_security_appliances.html

Re: Site to Site VPN with Active/Standby ASA5510

The Admin Guide states that VPN failover is available for Active/Standby failover configurations only.

Also version 7.0 suports VPN as long as stateful failover has been configured: PLease read belwo from teh Admin Guide .. I hope it helps ... Please rate it if it does !!!

When Stateful Failover is enabled, the active unit continually passes per-connection state information to

the standby unit. After a failover occurs, the same connection information is available at the new active

unit. Supported end-user applications are not required to reconnect to keep the same communication

session.

The state information passed to the standby unit includes the following:

• NAT translation table.

• TCP connection states.

Table 11-3 Failover Configuration Feature Support

Feature Active/Active Active/Standby

Single Context Mode No Yes

Multiple Context Mode Yes Yes

Load Balancing Network Configurations Yes No

Unit Failover Yes Yes

Failover of Groups of Contexts Yes No

Failover of Individual Contexts No No

11-14

Cisco Security Appliance Command Line Configuration Guide

OL-6721-02

Chapter 11 Configuring Failover

Understanding Failover

• UDP connection states.

• The ARP table.

• The Layer 2 bridge table (when running in transparent firewall mode).

• The HTTP connection states (if HTTP replication is enabled).

• The ISAKMP and IPSec SA table.

• GTP PDP connection database.

The information that is not passed to the standby unit when Stateful Failover is enabled includes the

following:

• The HTTP connection table (unless HTTP replication is enabled).

• The user authentication (uauth) table.

• The routing tables.

• State information for Security Service Cards.

Re: Site to Site VPN with Active/Standby ASA5510

oope let me clean it up for you !!!

Also version 7.0 suports VPN as long as stateful failover has been configured: From the Admin Guide ..

I hope it helps ... Please rate it if it does !!!

When Stateful Failover is enabled, the active unit continually passes per-connection state information to

the standby unit. After a failover occurs, the same connection information is available at the new active

unit. Supported end-user applications are not required to reconnect to keep the same communication

session.

The state information passed to the standby unit includes the following:

• NAT translation table.

• TCP connection states.

• UDP connection states.

• The ARP table.

• The Layer 2 bridge table (when running in transparent firewall mode).

• The HTTP connection states (if HTTP replication is enabled).

• The ISAKMP and IPSec SA table.

• GTP PDP connection database.

The information that is not passed to the standby unit when Stateful Failover is enabled includes the

following:

• The HTTP connection table (unless HTTP replication is enabled).

• The user authentication (uauth) table.

• The routing tables.

• State information for Security Service Cards.

449
Views
0
Helpful
3
Replies
CreatePlease login to create content