Implementing VPN Clustering requires a virtual cluster by logically grouping two or more ASA’s or VPN concentrators on the same subnet. To outside client, virtual cluster looks like a single device accessible by a single virtual ip address. A VPN client attempting a VPN session connects first to this virtual address but it quickly. Design Network With Cluster Asa 5516 Vpn Remote Access And Fortigate Log Vpn Acce. Hardware Firewalls In fact, Cisco ASA is a security device that combines firewall, antivirus, antispam, IDS/IPS engine, IPsec VPN, SSL VPN, anti-phishing, and web filtering, and content inspection capabilities.
Policy based IPSEC tunneling is probably the most widely used technique to get two offices to communicate securely (at least in the SMB Market).
Today I’m going to discuss how you can configure two ASA’s to failover to their secondary WAN, and then have their tunnels fail over as well.
One should always aim for having two ISPs if the business needs to rely on the tunnel. The question to ask ones self is “If this tunnel goes down, can I continue working?”
If the answer is no, then you need a secondary ISP at a minimum.
I’m going to begin the config for ASAv-1 (left network)…
First let’s get some basic “optimizations” out of the way:
The below allows the asa to keep track of ICMP and let it pass through (does it by IP and expected code reply)
The first command prevents TCP fragmentation in the future tunnels by clamping the MSS.
The second command preserves session tables if the VPN bounces (quicker recovery).
Now let’s configure the LAN and WAN and their security levels.
Configure an IP SLA monitor to ping google via the first outside interface.
Connect a track object to the IP SLA so we can reference in the route later.
Tell the ASA to use Outside as the primary WAN and failover to Outside2 when the track object fails.
Configure basic dynamic PAT for both WAN interfaces.
Asa Vpn Cluster Configuration
Now let’s configure the VPN:
Enable ikev1 listening on both WAN interfaces.
Set our preferred IKE policy for all VPNs.
Create the tunnel groups for both WAN links on the other side, with the same shared secret.
Configure the ACL for matching the traffic to be protected.
Configure the IPSEC encryption parameters.
Configure the crypto map for the tunnel, with two peers, then add it to both WAN interfaces.
Finally configure the identity NAT so that the traffic traverses properly.
Now let’s configure the right network’s ASA. I will put that whole config down here since it’s basically a mirror.
Use the “show vpn-sessiondb l2l” command to view the status of the tunnel, like below.
A healthy tunnel will have both TX and RX Bytes showing.
An unhealthy tunnel will either show “There are presently no active sessions” or it might show some TX or RX, but not both.
It also helps of course to just ping across the tunnel, here I am pinging from 2.10 to 1.10.
Ok now let’s initiate some failover and test:
Shut down the primary WAN on ASA 2 (right network). Let’s confirm which interface that is:
Perfect, looks to be G0/0 as we expected.
Asa Vpn Cluster Load Balancing
Run this debug command to confirm IPSEC failover.
Ok now shut off int g0/0.
Ok let’s confirm the track object did its job and failed over to our static default route with an AD of 2.
Yup, looks like we are good there.
Now If I ping again from 2.10 to 1.10 the tunnel should renegotiate.
We also would see these decrypt messages from the ASA.
Perfect the failover worked. Now do an “undebug all” in global config mode to return the ASA back to normal.
KB ID 0001114
Usually when I’m asked to setup Active/Active I cringe, not because its difficult, its simply because people assume active/active is better than active/standby. I hear comments like ‘we have paid for both firewalls lets use them’, or ‘I want to sweat both assets’.
The only real practical use cases I can think of for Active /Active are;
- You have a multi-tenancy environment and want to offer your tenants failover firewall capability.
- You have multiple LAN subnets and what to split them though different firewalls.
What Active/Active Wont Give You
Load balancing: It’s a firewall! If you want load balancing buy a load balancer! People assume because both firewalls are passing traffic, they must load balance, they don’t, in fact they don’t even pass traffic from the same subnet.
VPNS: Yes theres no VPNs with Active Active. (This is 100% the case up to an including version 9.0, after version 9.0 they have stopped saying it’s not supported, but don’t say it’s supported).
Deploy Cisco ASA in Active/Active Failover
Here’s what Im going to setup;
For a more ‘logical’ view heres what is actually being setup;
1. Make sure the Licences are on the firewalls allow multiple contexts. and Active/Active, for 5510, 5512-X, and 5508-X that means Security Plus, for all other models a ‘base’ licence is required. (Note: This CANNOT be done on an ASA 5505 or 5506-X).
2. Put the firewalls in Multiple context mode.
3. Let it reboot.
4. Make sure the firewall is in routed mode, and multiple context mode, repeat on the other firewall.
5. Once ASA1 is backup give it a sensible hostname, and ensure all the physical interfaces (and any sub interfaces) are NOT shutdown, and add then to the relevant VLAN (they are shut down by default).
6. Failover link NEEDS to be configured and used by the SYTEM Context, so its configured here. (Note: I’m using the same physical interface for LAN and Stateful failover information).
7. You can only have TWO failover groups (you can have many contexts, depending on the licence on your firewall).
Note: Unlike Active/Passive the ASA can preempt and ‘fail-back’ automatically.
8. Setup and assign your CONTEXTS (virtual firewalls), to these groups.
The following will show you a summary of the contexts.
10. Now configure vASA1.
11. Now configure vASA2.
12. Go back the the System context and save ALL the changes.
Note: Configuration on the main (physical) firewall is complete, the ‘failover’ configuration needs to now be setup on the second physical ASA.
13. On the ’Secondary’ Physical ASA.
14. Remember failover is off by default, and we have not switched it on, this needs to be done on both of the physical ASA’s (primary and secondary). Note: Make sure the ‘failover’ interface is NOT in a shut down state first!
Note: If building in GNS3 sometimes you need to put a switch in the middle of the ‘backup link’ or the firewalls don’t detect each other!
17. Top Tip: Remember that you need to make the changes on the active firewall context in the correct failover group. Change the firewall prompt to show you all this information.
Testing Active/Active Failover
If you change to vASA1 (notice it’s active).
Now change to vASA2, (This ones in standby so DONT make changes here or they wont get replicated / saved).
Note: Moral of the story is you need to be aware what physical firewall you are on (primary or secondary) what mode you are in (active or standby) and what context you are in (vASA1 or vASA2). So in this example to make a change to vASA2 you would need to go to Secondary/Standby/vASA2 to edit the active firewall, (confusing eh! That’s why I change the firewall prompt).
Now you will want to test things, probably by pinging, don’t forget ICMP is not enabled by default an you will need to enable it, (in each context).