Solved: Cisco ASA Anconnect VPN Deployment

CSCO10675262_2 · ‎09-10-2013

Hi,

I have an enquiry regarding the deployment for ASA that need to support more than 10000 clients. I understand that multiple ASA would be required for it however I was wondering what may be the typical design for it? Should the multiple ASA be setup as vpn cluster/load balancing/etc...?

It would be appreciated if there are any design document for it. The present setup is a pair of ASA active/standby was wondering on how to combine the total connection if I require 15000 vpn connections; example 2 pairs of active/standby with vpn clustering/load balancing/etc...?

Thanks.

Karsten Iwen · ‎09-10-2013

You are right, the vpn-loadbalancing is the technologie you should deploy for that. With that you can combine multiple devices to a load-sharing cluster. These devices can be different, for example two 5555 with two 5545 which would give you atotal of 15000 VPN-connections.
Of course you should plan for device-failure. So you could deploy 4*5555 and also if one ASA is lost you still have 15000 connections (well, at least based on the data-sheet; I wouldn't push the amount of connections to the limit).
For redundancy you could also deploy these devices also as FO-systems. 3*2*5555 would also give you redundancy.

This is all under the assumption that the users connect to the same office where the ASAs have a L2-connection to each other which is needed for VPN-loadbalancing. If the users connect through different locations, then these ASAs can't use VPN-loadbalancing unless you have a L2 connection between the loacations.

If you have multiple locations you should also think about the shared-license server which could save a lot of money if your users don't always use the same gateway.

And the last point: configure as much as possible for your AAA with a central RADIUS-server to reduce the probability of misconfiguration on multiple ASAs.

Sent from Cisco Technical Support iPad App

View solution in original post

Karsten Iwen · ‎09-10-2013

You are right, the vpn-loadbalancing is the technologie you should deploy for that. With that you can combine multiple devices to a load-sharing cluster. These devices can be different, for example two 5555 with two 5545 which would give you atotal of 15000 VPN-connections.
Of course you should plan for device-failure. So you could deploy 4*5555 and also if one ASA is lost you still have 15000 connections (well, at least based on the data-sheet; I wouldn't push the amount of connections to the limit).
For redundancy you could also deploy these devices also as FO-systems. 3*2*5555 would also give you redundancy.

This is all under the assumption that the users connect to the same office where the ASAs have a L2-connection to each other which is needed for VPN-loadbalancing. If the users connect through different locations, then these ASAs can't use VPN-loadbalancing unless you have a L2 connection between the loacations.

If you have multiple locations you should also think about the shared-license server which could save a lot of money if your users don't always use the same gateway.

And the last point: configure as much as possible for your AAA with a central RADIUS-server to reduce the probability of misconfiguration on multiple ASAs.

Sent from Cisco Technical Support iPad App

CSCO10675262_2 · ‎09-15-2013

Hi,

Thanks for the information.