Some advice needed for remote ASA VPN failover

ithelperagent001 · ‎12-06-2011

Hi,

I have 2 dual ASA 5520 devices running VPN at two geographically different locations.

What is the best way to do failover between the two remote locations ?

i.e. can Cisco GSS / Cisco CSM/ACE be used and if so how would this work.

also how would the remote ends behave in this scenario

Thanks.

Marcin Latosiewicz · ‎12-06-2011

Hi,

There is no "one best way".

it will depend on what clients are to connect to your ASAs, what technology you want to use, what licenses you have available ;-)

That being said some reading material/food for thought:

- Anyconnect allows you do to Optimal Gatwat Selection (OGS).

- Solution based on GSS is possible with fairly recent version of Anyconect.

(Older versions of ASA do multiple DNS resolutions while connecting - causing problem with pure GSS load balancing).

- ASA's built in VPN Load balancing (if needed done with GSS)

Hope this helps,

Marcin

ithelperagent001 · ‎12-07-2011

Thanks. Very intersting.

What I should have mentioned is the remote ends are various make IPSEC devices. i.e. no use of anyconnect clients

and it seems the built in load balancing will only work with certain devices so not an option right now with IPSEC ?

Any other thoughts / suggestions welcomed

ithelperagent001 · ‎12-08-2011

After much deeper investigations I think using dual peer addresses on the remote ends is the best way forward.

Comments welcomed :-)