VPN Failover and the new Global Knowledge ASA Essentials Class

This post is the first in a three-part series that highlights some of the topics covered in the new Global Knowledge ASA Essentials class, an offering intended to provide the student the key areas of interest for initially provisioning their security appliance. This post focuses on high availability for VPN traffic.

Preservation of IPSec VPN sessions was done initially with the Cisco VPN concentrator more than ten years ago although the capability was limited at that time to LAN-to-LAN tunnels (now referred to as site-to-site). The PIX and ASA first supported this in OS 7.0, although the requirement has been that this had to be done with an Active/Standby fail-over implementation. Active/active failover requires the use of security contexts which don’t support VPNs. As table 57-2 (in the document referenced below) indicates, both the ISAKMP and IPSec Security Association information is maintained between the Active and Standby appliances; therefore, both site-to-site and remote access VPN sessions are both preserved.

One reason that VPN high availability is more of an ASA feature than that of a router is because only the higher-end IOS® platforms support it. While version 8.2 of the ASA code added support for shared VPN licensing, this feature can’t be utilized in the active/standby pairing required for high availability. A load-sharing cluster is the best deployment to utilize this functionality.

A sample output of an IPSec VPN tunnel verification command is shown below.

hostname(config)# show crypto ipsec sa
interface: outside2
    Crypto map tag: def, local addr: 10.132.0.17
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (172.20.0.21/255.255.255.255/0/0)
      current_peer: 172.20.0.21
      dynamic allocated peer ip: 10.135.1.5
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 1145, #pkts decrypt: 1145, #pkts verify: 1145
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 2, #pre-frag failures: 1, #fragments created: 10
      #PMTUs sent: 5, #PMTUs rcvd: 2, #decapstulated frags needing reassembly: 1
      #send errors: 0, #recv errors: 0
      local crypto endpt.: 10.132.0.17, remote crypto endpt.: 172.20.0.21
      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: DC15BF68
    inbound esp sas:
      spi: 0x1E8246FC (511854332)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 3, crypto-map: def
         sa timing: remaining key lifetime (sec): 548
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xDC15BF68 (3692412776)
         transform: esp-3des esp-md5-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 3, crypto-map: def
         sa timing: remaining key lifetime (sec): 548
         IV size: 8 bytes
         replay detection support: Y

Note the highlighted lines; these represent the Security Parameter Indices which funda-mentally identify a particular VPN session. It’s these values which should be replicated between the Active/Standby failover pair. To “see this in action”, you’ll need to attend the Global Knowledge ASA Essentials class!

References:

Cisco ASA 5500 Series Configuration Guide using the CLI, 8.3 – High Availability

Related Course:

ASAE – ASA Essentials

In this article

Join the Conversation