Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

High Availability with ASAs

Currently Being Moderated

ASA VPN Redundancy

Hi, I have an ASA 5540 at my HQ with 50 or so VPNs, I also have a ASA 5540 at my Data Centre which is directly connected to my HQ, I wanted to know if it was possible to configure my ASAs in an Active/Standby scenario, where if my primary ASA fails, all the VPNs will remote in via my Secondary firewall, if I create a failover group in my ASAs, will the configs sync or would the firewalls act like a security cluster - will the outside interface configurations be identical.

Rather than configuring it manually on 50 or so routers which isn't feasible, could I use a similar method to HSRP to implement a failover group, in case the primary link or ASA fails.

Thanks

Drawing1.jpg

3 REPLIES
Hall of Fame Super Silver

High Availability with ASAs

An ASA HA pair (assuming single context - VPN isn't currently supported on multi-context in any case) is created with the presumption that the standby unit will take over the IP addresses from the active unit in the event of a failover event.

So in your scenario, ASA failover would only work if your Hq and data center had a common Internet-facing Layer 3 address space - very unlikely.

High Availability with ASAs

Hello,

Also in order to replicate the VPN sessions you will need to do a stateful failover.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

High Availability with ASAs

Thanks, I must also add that the VPNs are currently initiated by CyberGuards, and not routers, and I believe thay can support multiple VPNs, so if the primary VPN fails I believe the CyberGuard will use the secondary VPN to the secondary firewall, just a thought, I'm not 100% sure, but possibly have to test it in a live environment to see if the failover occurs.

479
Views
0
Helpful
3
Replies
CreatePlease to create content