Site to Site VPN with Active/Standby ASA5510

dbrisson · ‎04-27-2006

Hello,

I was wondering if someone can answer my question regarding the following scenario. I am looking at implementing an Active/Standby pair of ASA 5510s that will terminate a site-to-site VPN to a PIX 501. My thought is that if the Active 5510 fails, I'll still be able to maintain the VPN connection to the Standby 5510. My understanding is that VPN state information is not going to transfer over to the Standby 5510, I would need an Active/Active configuration for that to happen. That being the case, in a failure scenario the PIX 501 will actually be communicating to the Standby 5510 that doesn’t have any of the existing tunnel information. I’ve seen instances in the past (not with ASAs at the headend) where the PIX 501 doesn’t know to tear down the old tunnel and reestablish a new one. My question is, will that be the case here and is there a way around it, other than Active/Active at the headend?

Thanks!

smahbub · ‎05-03-2006

Active/Standby Failover for ASA 5500

Learn how the failover feature of the Cisco ASA 5500 Series Adaptive Security Appliance provides high availability for your network. After a brief description of active/standby and active/active failover, watch a demonstration of the steps for configuring active/standby failover.

http://www.cisco.com/web/learning/le31/le29/configuring_asa_pix_security_appliances.html

Fernando_Meza · ‎05-03-2006

The Admin Guide states that VPN failover is available for Active/Standby failover configurations only.

Also version 7.0 suports VPN as long as stateful failover has been configured: PLease read belwo from teh Admin Guide .. I hope it helps ... Please rate it if it does !!!

When Stateful Failover is enabled, the active unit continually passes per-connection state information to

the standby unit. After a failover occurs, the same connection information is available at the new active

unit. Supported end-user applications are not required to reconnect to keep the same communication

session.

The state information passed to the standby unit includes the following:

• NAT translation table.

• TCP connection states.

Table 11-3 Failover Configuration Feature Support

Feature Active/Active Active/Standby

Single Context Mode No Yes

Multiple Context Mode Yes Yes

Load Balancing Network Configurations Yes No

Unit Failover Yes Yes

Failover of Groups of Contexts Yes No

Failover of Individual Contexts No No

11-14

Cisco Security Appliance Command Line Configuration Guide

OL-6721-02

Chapter 11 Configuring Failover

Understanding Failover

• UDP connection states.

• The ARP table.

• The Layer 2 bridge table (when running in transparent firewall mode).

• The HTTP connection states (if HTTP replication is enabled).

• The ISAKMP and IPSec SA table.

• GTP PDP connection database.

The information that is not passed to the standby unit when Stateful Failover is enabled includes the

following:

• The HTTP connection table (unless HTTP replication is enabled).

• The user authentication (uauth) table.

• The routing tables.

• State information for Security Service Cards.

Fernando_Meza · ‎05-03-2006

oope let me clean it up for you !!!

Also version 7.0 suports VPN as long as stateful failover has been configured: From the Admin Guide ..

I hope it helps ... Please rate it if it does !!!