12-06-2011 03:21 AM
Hi,
I have 2 dual ASA 5520 devices running VPN at two geographically different locations.
What is the best way to do failover between the two remote locations ?
i.e. can Cisco GSS / Cisco CSM/ACE be used and if so how would this work.
also how would the remote ends behave in this scenario
Thanks.
12-06-2011 05:59 AM
Hi,
There is no "one best way".
it will depend on what clients are to connect to your ASAs, what technology you want to use, what licenses you have available ;-)
That being said some reading material/food for thought:
- Anyconnect allows you do to Optimal Gatwat Selection (OGS).
https://supportforums.cisco.com/docs/DOC-15326
- Solution based on GSS is possible with fairly recent version of Anyconect.
(Older versions of ASA do multiple DNS resolutions while connecting - causing problem with pure GSS load balancing).
- ASA's built in VPN Load balancing (if needed done with GSS)
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_params.html#wp1048834
Hope this helps,
Marcin
12-07-2011 07:19 AM
Thanks. Very intersting.
What I should have mentioned is the remote ends are various make IPSEC devices. i.e. no use of anyconnect clients
and it seems the built in load balancing will only work with certain devices so not an option right now with IPSEC ?
Any other thoughts / suggestions welcomed
12-08-2011 10:19 AM
After much deeper investigations I think using dual peer addresses on the remote ends is the best way forward.
Comments welcomed :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide