Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

remote vpn asa

Hi,

We are configuring a remote access vpn using two asa's. these asa use radius server for authentication

& has ACS connected. few doubts on this setup:

1. what attribut needs to be enabled on cisco ACS for ASA to work with the required AD groups.

2. asa's has been configured for vpn load balancing. how do we test both ASA's for load balancing or failover

using a test switch.

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions

Re:remote vpn asa

Hi,

The priority is to define who's the Master, if it fails the next one with the higher priority will take the role of the Master, but that is not failover. If you still need to have a mechanism to ensure network availability during a hardware or software failure, a Failover pair needs to be configured.

VPN load-balancing is not failover.

Sent from Cisco Technical Support Android App

9 REPLIES

Re:remote vpn asa

Sent from Cisco Technical Support Android App

New Member

remote vpn asa

both asa's are not connected to the network. it is in staging & configuration phase.

hence wanted to know the answers to above two queries.

Thanks.

Re:remote vpn asa

Hi!

Basically to authenticate against Radius you need to create the Radius client on the ACS / Radius server and configure the server instance on the ASA...

To authorize the users you can use attribute 25.

To test the vpn load-balancing with one SW, you can connect the outside interface to the one vlan and the inside to another vlan (both ASAs)...

Then you can test the settings.

Please let me know.

Sent from Cisco Technical Support Android App

New Member

remote vpn asa

Javier, server instance groups has been created on the asa. however, what attribute & where exaclty under ACS will i need to enable the attribute on ACS so the asa's and acs can work together.

Second question, there is a failover ( active/standby ) option & a vpn load balance option in the asa. If i only enable vpn load balance and assign each asa a different priority, will the asa's still be able to do a failover in case one of them fails Or is it necessary to configure active/standby failover also even if load balance is configured.

Thanks again.

Re: remote vpn asa

Hi,

1)

In order to authenticate there is no need to define any attribute, I just want to make sure it is clear.

On the other hand, to define different attributes or restrictions according to the group in AD you can use the Radius attr 25.

To configure it on ACS, please check on this link:

Configure ACS to Assign a Group Policy at Login using RADIUS

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808cf897.shtml

On the ASA side, all you need is to me make sure that the group-policy exists.

2)

Failover pair can not load-balance sessions between each other.

Failover pair can be in load balancing with one or many other units (those units can run failover, but they will be seen as one unit from the load-balancing point of view).

Please let me know.

Thanks.

New Member

remote vpn asa

Thanks Javier,

A last query on failover though, i have configured vpn load balancing on both asa's. Do i need to configure active/standby failover also.

Will load balancing alone cause one unit to assume active unit if there is any failure on the other unit.

Thanks.

Re:remote vpn asa

Hi

No VPN Load-balancing does not offer any kind of failover.

Sent from Cisco Technical Support Android App

New Member

remote vpn asa

But i understand it has this priorities assigned to it, so in case one fails the other takes over based on the priority.

Isnt that the case? & would that not imply a sort of failover taking over for the failed unit.

If the above is incorrect, does it mean we still have to configure usual firewall failover feature even though load balancing has been configured.

Thanks.

Re:remote vpn asa

Hi,

The priority is to define who's the Master, if it fails the next one with the higher priority will take the role of the Master, but that is not failover. If you still need to have a mechanism to ensure network availability during a hardware or software failure, a Failover pair needs to be configured.

VPN load-balancing is not failover.

Sent from Cisco Technical Support Android App

418
Views
13
Helpful
9
Replies
CreatePlease to create content