12-06-2011 03:21 AM
Hi,
I have 2 dual ASA 5520 devices running VPN at two geographically different locations.
What is the best way to do failover between the two remote locations ?
i.e. can Cisco GSS / Cisco CSM/ACE be used and if so how would this work.
also how would the remote ends behave in this scenario
Thanks.
12-06-2011 05:59 AM
Hi,
There is no "one best way".
it will depend on what clients are to connect to your ASAs, what technology you want to use, what licenses you have available ;-)
That being said some reading material/food for thought:
- Anyconnect allows you do to Optimal Gatwat Selection (OGS).
https://supportforums.cisco.com/docs/DOC-15326
- Solution based on GSS is possible with fairly recent version of Anyconect.
(Older versions of ASA do multiple DNS resolutions while connecting - causing problem with pure GSS load balancing).
- ASA's built in VPN Load balancing (if needed done with GSS)
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_params.html#wp1048834
Hope this helps,
Marcin
12-07-2011 07:19 AM
Thanks. Very intersting.
What I should have mentioned is the remote ends are various make IPSEC devices. i.e. no use of anyconnect clients
and it seems the built in load balancing will only work with certain devices so not an option right now with IPSEC ?
Any other thoughts / suggestions welcomed
12-08-2011 10:19 AM
After much deeper investigations I think using dual peer addresses on the remote ends is the best way forward.
Comments welcomed :-)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: