Skip navigation
Cisco Learning Home > Certifications > Security > ASA Specialist > Discussions


This Question is Not Answered 1 Correct Answer available (4 pts) 1 Helpful Answer available (2 pts)
2344 Views 1 Reply Latest reply: Jan 24, 2012 3:59 PM by Paul Stewart - CCIE Security, CCSI RSS

Currently Being Moderated

Active/Active failover + VPN

Jan 24, 2012 1:51 PM

Woz 54 posts since
Jan 7, 2010

According to Cisco


When the security appliance is configured for Active/Active stateful failover, you cannot enable IPsec or SSL VPN. Therefore, these features are unavailable. VPN failover is available for Active/Standby failover configurations only.


With scenerio similar to that


Is there any way to set up VPN connection with other device than ASA (eg: external router - internal router). I am curious if that is even possible?

  • Paul Stewart  -  CCIE Security, CCSI 6,993 posts since
    Jul 18, 2008
    Currently Being Moderated
    1. Jan 24, 2012 3:59 PM (in response to Woz)
    Re: Active/Active failover + VPN

    A good choice might be to use some sort of VPN termination device out in a DMZ area.  Then you can still filter with your ASA's.  What could terminate the VPNs?  If it is SSL VPN, I'd probably go with an ASA.  You could even install an active/standby pair for that function.  If you need to do GETVPN, VTI, or DMVPN, you are going to have to use routers.  If it is L2L, it would be your choice (or what you are comfortable with). 


More Like This

  • Retrieving data ...

Bookmarked By (0)