Cisco ACE - Firewall load balancing

smhussain — Wed, 16 Feb 2011 21:29:03 GMT

I am using two sets of ACE load balancers for load balancing traffic across two firewalls (firewall load balancing).

The solution works fine. I have a virtual address of 0.0.0.0 in either direction to match traffci going from the internal users to the internet and vice versa.

The problem is that when I try to manage the load-balanced firewalls (either using SSH (or) HTTPS) from outside, then that connection also gets load balanced and when I try to connect to FW1 then sometimes this connection ends up on FW2 and vice versa and the connection gets dropped. I have a workaround in place where i am using a virtual address per firewall to connect to the real IP address of the firewall.

Is there any other way of managing firewalls (which are defined as real-servers) in a FWLB setup.

Attached is the configuration of the external ACE which has the two firewalls defined as the real-servers.

access-list ALL line 8 extended permit ip any any

probe icmp ICMP-Probe
interval 15
passdetect interval 60

rserver host FW1-ASA
ip address 10.11.71.10
inservice
rserver host FW2
ip address 10.11.71.11
inservice

serverfarm host Firewalls
transparent
predictor leastconns
rserver FW1-ASA
    inservice
rserver FW2
    inservice
serverfarm host Firewalls-NO-LB
rserver FW1-ASA
    inservice
serverfarm host Firewalls-NO-LB1
rserver FW2
    inservice

sticky ip-netmask 255.255.255.255 address source new-sticky
timeout activeconns
serverfarm Firewalls

-----------------------------------------------------------------------------------
This is my workaround for connection to the IP address of the firewalls (for management)

class-map match-any FW-Real
2 match virtual-address 10.11.71.254 any
class-map match-any FW-Real2
2 match virtual-address 10.11.71.253 any

---------------------------------------------------------------------------------
class-map type management match-any Remote-Access
201 match protocol telnet any
202 match protocol http any
203 match protocol https any
204 match protocol ssh any
205 match protocol snmp any
206 match protocol icmp any
class-map match-any fwlb
2 match virtual-address 0.0.0.0 0.0.0.0 any

policy-map type management first-match Remote-Management-Policy
class Remote-Access
permit

-------------------------------------------------------------------------------

policy-map type loadbalance first-match FWLB-No-LB
class class-default
serverfarm Firewalls-NO-LB
policy-map type loadbalance first-match FWLB-No-LB1
class class-default
serverfarm Firewalls-NO-LB1

------------------------------------------------------------------------------
policy-map type loadbalance first-match FWLB-l7slb
class class-default
serverfarm Firewalls

policy-map multi-match Firewall-No-LB
class FW-Real
    loadbalance vip inservice
    loadbalance policy FWLB-No-LB
policy-map multi-match Firewall-No-LB1
class FW-Real2
    loadbalance vip inservice
    loadbalance policy FWLB-No-LB1
policy-map multi-match int70
class fwlb
    loadbalance vip inservice
    loadbalance policy FWLB-l7slb

interface vlan 70
description "Client side"
ip address 10.11.70.2 255.255.255.0
no icmp-guard
access-group input ALL
access-group output ALL
service-policy input Remote-Management-Policy
service-policy input Firewall-No-LB --> connect to the real IP address of the firewall for management
service-policy input Firewall-No-LB1 --> connect to the real IP address of the firewall for management
service-policy input int70
no shutdown
interface vlan 71
description "Firewall side"
ip address 10.11.71.2 255.255.255.0
mac-sticky enable
no icmp-guard
access-group input ALL
access-group output ALL
service-policy input Remote-Management-Policy
no shutdown

Re: Cisco ACE - Firewall load balancing

lacirasella — Mon, 21 Feb 2011 13:18:50 GMT

Hello,

as i know, there is no others ways.

You can only reduce your configuration by puting all your class undert the same policy-map:

policy-map multi-match int70

class FW-Real
loadbalance vip inservice
loadbalance policy FWLB-No-LB

class FW-Real2
    loadbalance vip inservice
    loadbalance policy FWLB-No-LB1
class fwlb
    loadbalance vip inservice
    loadbalance policy FWLB-l7slb

interface vlan 70

description "Client side"

ip address 10.11.70.2 255.255.255.0

no icmp-guard

access-group input ALL

access-group output ALL

service-policy input Remote-Management-Policy

service-policy input int70

no shutdown

topic Cisco ACE - Firewall load balancing in Application Networking

Cisco ACE - Firewall load balancing

Re: Cisco ACE - Firewall load balancing