Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Some advice needed for remote ASA VPN failover

Hi,

I have 2 dual ASA 5520 devices running VPN at two geographically different locations.

What is the best way to do failover between the two remote locations ?

i.e. can Cisco GSS / Cisco CSM/ACE be used and if so how would this work.

also how would the remote ends behave in this scenario

Thanks.

3 REPLIES
Cisco Employee

Some advice needed for remote ASA VPN failover

Hi,

There is no "one best way".

it will depend on what clients are to connect to your ASAs, what technology you want to use, what licenses you have available ;-)

That being said some reading material/food for thought:

- Anyconnect allows you do to Optimal Gatwat Selection (OGS).

https://supportforums.cisco.com/docs/DOC-15326

- Solution based on GSS is possible with fairly recent version of Anyconect.

(Older versions of ASA do multiple DNS resolutions while connecting - causing problem with pure GSS load balancing).

- ASA's built in VPN Load balancing (if needed done with GSS)

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_params.html#wp1048834

Hope this helps,

Marcin

New Member

Some advice needed for remote ASA VPN failover

Thanks. Very intersting.

What I should have mentioned is the remote ends are various make IPSEC devices. i.e. no use of anyconnect clients

and it seems the built in load balancing will only work with certain devices so not an option right now with IPSEC ?

Any other thoughts / suggestions welcomed

New Member

Some advice needed for remote ASA VPN failover

After much deeper investigations I think using dual peer addresses on the remote ends is the best way forward.

Comments welcomed :-)

527
Views
0
Helpful
3
Replies
CreatePlease login to create content