Hi, I have an ASA 5540 at my HQ with 50 or so VPNs, I also have a ASA 5540 at my Data Centre which is directly connected to my HQ, I wanted to know if it was possible to configure my ASAs in an Active/Standby scenario, where if my primary ASA fails, all the VPNs will remote in via my Secondary firewall, if I create a failover group in my ASAs, will the configs sync or would the firewalls act like a security cluster - will the outside interface configurations be identical.
Rather than configuring it manually on 50 or so routers which isn't feasible, could I use a similar method to HSRP to implement a failover group, in case the primary link or ASA fails.
An ASA HA pair (assuming single context - VPN isn't currently supported on multi-context in any case) is created with the presumption that the standby unit will take over the IP addresses from the active unit in the event of a failover event.
So in your scenario, ASA failover would only work if your Hq and data center had a common Internet-facing Layer 3 address space - very unlikely.
Thanks, I must also add that the VPNs are currently initiated by CyberGuards, and not routers, and I believe thay can support multiple VPNs, so if the primary VPN fails I believe the CyberGuard will use the secondary VPN to the secondary firewall, just a thought, I'm not 100% sure, but possibly have to test it in a live environment to see if the failover occurs.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :