https://community.cisco.com/t5/network-security/best-way-to-load-balance-vpns/m-p/1165760#M953233 <P>I have two ASA 5540s that I would like to configure for VPN load balancing. I had been looking at the Active / Standby configurations, but am curious if doing this I can truly get VPN load balancing or if this means all VPNs on the active unit and then when a failure happens all VPNs go over to the standby unit. This isn't what I want.</P><P></P><P>I have found some documents that talk about setting up a cluster. But I think these documents are telling me not to configure the two ASAs as a active / standby failover pair. Does that make sense?</P><P></P><P>Anyway - what is the best way to accomplish VPN load balancing? In our setup these ASAs will only be handling VPNs (no firewalling will be done here).</P> Fri, 21 Feb 2020 11:29:05 GMT jim_berlow 2020-02-21T11:29:05Z https://community.cisco.com/t5/network-security/best-way-to-load-balance-vpns/m-p/1165760#M953233 <P>I have two ASA 5540s that I would like to configure for VPN load balancing. I had been looking at the Active / Standby configurations, but am curious if doing this I can truly get VPN load balancing or if this means all VPNs on the active unit and then when a failure happens all VPNs go over to the standby unit. This isn't what I want.</P><P></P><P>I have found some documents that talk about setting up a cluster. But I think these documents are telling me not to configure the two ASAs as a active / standby failover pair. Does that make sense?</P><P></P><P>Anyway - what is the best way to accomplish VPN load balancing? In our setup these ASAs will only be handling VPNs (no firewalling will be done here).</P> Fri, 21 Feb 2020 11:29:05 GMT https://community.cisco.com/t5/network-security/best-way-to-load-balance-vpns/m-p/1165760#M953233 jim_berlow 2020-02-21T11:29:05Z https://community.cisco.com/t5/network-security/best-way-to-load-balance-vpns/m-p/1165761#M953235 <HTML><HEAD></HEAD><BODY><P>An active/standby failover pair configuration will provide for resiliency in the event of a hardware or software failure. One ASA is "Active" while the other is in a "Standby" mode. Config and state information is synchronized between the two devices. Only one ASA services client connections at any given time.</P><P></P><P>Load balancing, on the other hand, allows you to configure a "cluster" with multiple participants. Each participating ASA can service client connections thus sharing the load. The following doc gives a good overview of load balancing and provides sample configurations.</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpnsysop.html#wp1048959" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpnsysop.html#wp1048959</A></P></BODY></HTML> Wed, 27 May 2009 18:00:39 GMT https://community.cisco.com/t5/network-security/best-way-to-load-balance-vpns/m-p/1165761#M953235 Todd Pula 2009-05-27T18:00:39Z https://community.cisco.com/t5/network-security/best-way-to-load-balance-vpns/m-p/1165762#M953238 <HTML><HEAD></HEAD><BODY><P>Thanks - good information. So to clarify, there is no way to load balance Site to Site VPN tunnels across 2 ASAs (either through active / standby or clustering). It appears that clustering will only load balance remote access VPN user connections using a VPN client. Do I have this right?</P><P></P><P>Thanks again,</P><P>Jim</P></BODY></HTML> Wed, 27 May 2009 19:03:19 GMT https://community.cisco.com/t5/network-security/best-way-to-load-balance-vpns/m-p/1165762#M953238 jim_berlow 2009-05-27T19:03:19Z