Solved: Re: VPN ASA 2110 clustering

Amafsha1 · ‎02-24-2020

Hello,

I currently have a 2110 running ASA image. It's used for AnyConnect only. I have 1 arm on the outside(connected through a L2 switch) and 1 arm on the inside (connected through a L2 switch). I bought another 2110 and plan to put ASA image on it and cluster it with my current ASA. Can anyone point me to good documentation around setting this up? I found some good documentation, but it only seems to be for when connecting to Nexus cores using VPCs and not regular port-channels to a 3750 switch for example. Also none of the documents seem to point to being able to use the cluster control link via a direct connection between the 2 ASAs but instead must go through a switch to do this. Is it not possible to build the cluster control link by directly connecting cables directly from the ASA to the other ASA?

Marvin Rhoads · ‎03-08-2020

Don't cluster. Instead just setup simple ASA Active/Standby High Availability (HA). This advice applies for ASA on ASA appliance, ASA on Firepower appliance or even FTD on Firepower appliance scenarios. Clustering generally only makes sense when you are running more than two appliances to gain the increased throughput of a cluster.

No multiple contexts are required. No CCL required, no restriction on inside and outside switches, much easier to setup and works perfectly.

SSL VPN sessions will be synced between active and standby units and if the Active units fails clients will seamlessly be handled by the former Standby unit (newly Active).

View solution in original post

mabernar · ‎04-07-2020

You set the priority on one of the ASAs to be the master and it will redirect the traffic to the other devices. It does this because the master will monitor the workload on the other devices and divide up the connections based on the feedback from the other servers in the cluster.

View solution in original post

Francesco Molino · ‎02-24-2020

Hi
Firepower 2100 doesn't support clustering but support HA.

Here a documentation how to configure HA on asa:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/general/asa-99-general-config/ha-failover.html

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Amafsha1 · ‎02-24-2020

Thank you. I'm running an ASA image on the 2110s though, not FTD. Is this still the case?

Francesco Molino · ‎02-24-2020

Yes. If you take a look at Cisco documentations, you'll see it's always mentioned 4100/9300 firepower devices but not 2100:
https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/clustering/asa-cluster-solution.html

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Mohammed al Baqari · ‎02-24-2020

The reason why its pointing to nexus VPN instead of 3750 is because MEC
feature (multichassis ether channel) which is supported on Nexus and VSS.
Its not support on 3750. Instead you can use stacking with 3750.

CCL shouldn't be back to back. If one ASA goes down, the other ASA will be
in split brain because the physical interfaces on both interfaces will be
down and hence both ASA won't know whether its interface is down or the
peer. If it goes over switch and one ASA goes down, the interface on the
other one will stay up and hence will know that the peer is down.

Also, anyconnect with clustering has restrictions. Do you really need
clustering if you use FTD for anyconnect only. It seems like overkil. I
think you need to relook at your requirements.

*** please remember to rate useful posts

Amafsha1 · ‎02-24-2020

Thank you. I'm not doing FTD on the 2110, I'm doing ASA image.

Amafsha1 · ‎02-24-2020

yes I think it's necessary. I only have 1 VPN and if it fails, I lose all my clients. so I need to build some sort of redundancy in case my ASA VPN fails

Francesco Molino · ‎02-25-2020

With asa ha, ssl vpn failover is supported.
Here a documentation explaining what is supported or not in HA mode:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asdm78/general/asdm-78-general-config/ha-failover.html

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Amafsha1 · ‎03-08-2020

thank you very much and sorry for the late reply. One thing I'm confused about is since my asa right now is just a single context, i would purchase the second asa and make them both into dual context for a total of 4 contexts. what new context do i make? so I guess I'm wondering if all these contexts would be the same config?

Amafsha1 · ‎03-08-2020

I don't believe active/active would be possible in my scenario. the way I understand it now is because when you have 2 contexts, you can have one asa be primary for context1 while the other physical asa is secondary for context1, while the other asa be primary for context2 and the other asa being secondary for context2. if you have only 1 context anyconnect vpn server, then you can't have another of the same server be an active so it would have to be configured as active/standby correct?

Francesco Molino · ‎03-08-2020

You can have anyconnect clients on both contexts.
Take a look here:
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200353-ASA-Multi-Context-Mode-Remote-Access-A.html

Active/standby vs active/active will depend on your whole design and what you're trying to achieve.
In most common cases, ha active/standby will be enough.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Marvin Rhoads · ‎03-08-2020

Don't cluster. Instead just setup simple ASA Active/Standby High Availability (HA). This advice applies for ASA on ASA appliance, ASA on Firepower appliance or even FTD on Firepower appliance scenarios. Clustering generally only makes sense when you are running more than two appliances to gain the increased throughput of a cluster.

No multiple contexts are required. No CCL required, no restriction on inside and outside switches, much easier to setup and works perfectly.

SSL VPN sessions will be synced between active and standby units and if the Active units fails clients will seamlessly be handled by the former Standby unit (newly Active).

Amafsha1 · ‎03-10-2020

Thanks for Marv. Yeah it looks like for my setup an Active/standby is the only possible way

mabernar · ‎04-07-2020

Why wouldn't you want to run VPN Load balancing. This is NOT the same as clustering or firewall active standby. In this scenario you would just enable VPN Load balancing and run each 2100 (on ASA code) as a separate VPN server, then use the CLI or ASDM to create a VPN Load balancing pair. The technology has been around for ever, and here is an older link describing how to configure it.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/68328-remotevpn-loadbal-asa.html

In this manner, you can have N+1 or have both servers up at the same time. This would provide more throughput capacity so long as you never exceed the 750 user limit (if you only have two boxes). I am seeing more strain on bandwidth right now than I am on user counts.

Amafsha1 · ‎04-07-2020

Thank you for bringing this up because Active/Standby will not suffice in my scenario because I need to LB the connections because work from home is growing.

I have 1 question that is not stated in the article. so our vpn dns vpn.xxx.com this resolves to 1 ip address, so when a user connects to our VPN how does this connection get LB'd to the other box? because they both have different IPs, so I'm not sure how the LB'ing works here..