Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
884
Views
1
Helpful
6
Replies

ASA VPN loadbalancing and Firewall failover question

Go to solution
Darren Sasso
Level 1
Level 1

‎10-08-2007 09:11 AM

Is it possible to setup 2 ASA 5520's in an active standby state and still take advantage of VPN load balancing or do each of the ASA's have to be independent to utilize VPN load balancing?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
6 Replies 6

Go to solution
acharyr123
Level 3
Level 3

‎10-08-2007 09:14 PM

Yes..it is possble to setup 2 ASA 5520 in A/S mode. But Load balancing will not take place.

In Active/Active mode this facility can be availed.

0 Helpful

Go to solution
acharyr123
Level 3
Level 3
In response to acharyr123

‎10-08-2007 09:14 PM

Please rate if it helps

Go to solution
Darren Sasso
Level 1
Level 1
In response to acharyr123

‎10-09-2007 08:11 AM

Thanks for the info

0 Helpful

Go to solution
adam.miller
Level 1
Level 1
In response to acharyr123

‎12-21-2007 11:03 AM

What about VPN Load Balancing specifically? In the document located here:

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#intro

It says "Note: VPN failover is not supported on units that run in multiple context mode. VPN failover is available for Active/Standby Failover configurations only."

Active/Active requires multiple contexts. Therefore, VPN Failover will not work in Active/Active. But it does not say anything about VPN clustering or load balancing. Which is the functionality I believe he meant. VPN Clustering is covered here:

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a00805fda25.shtml#intro

But it says in the Requirement sections "VPN users are able to connect to all ASAs with the use of their individually assigned public IP address."

It's saying that each ASA having it's own individually assigned public IP is a requirement for VPN clustering. Therefore, how could it be possible using Active/Active failover?

0 Helpful

Go to solution
Roman Rodichev
Level 7
Level 7

‎08-22-2008 01:43 PM

Confirmed and tested

You can not do VPN load balancing if you have failover enabled. If VPN load balancing is enabled and then you enable failover, VPN load balancing databases loses the standby peer.

The following statement in cisco's ASA config guide is NOT true:

"The security appliance also provides load balancing, which is different from failover. Both failover and load balancing can exist on the same configuration."

And I'm sure they are referring to VPN load balancing and not to Active/Active load balancing, because the URL link after that statement goes directly to the VPN load balancing section of the ASA configuration guide

This means that if a customer wants to get a pair of ASAs for firewalls and also wants to use SSL VPN, he must buy twice as many SSL VPN licenses. The only other way is to get a second pair of ASAs just for VPN.

I've asked many cisco folks about this and no one seems to know when this licensing issue is going to get resolved. Many of my customers shy away from SSL VPN just because of this issue.

0 Helpful

Go to solution
dieterjost
Level 1
Level 1
In response to Roman Rodichev

‎12-23-2008 12:56 AM

I'm not sure it is a license question. I can use WebVPN on the standby unit. I just have to give it the correct URL https://v.x.y.z/+CSCOE+/logon.html

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents