05-27-2009 08:04 AM - edited 02-21-2020 03:29 AM
I have two ASA 5540s that I would like to configure for VPN load balancing. I had been looking at the Active / Standby configurations, but am curious if doing this I can truly get VPN load balancing or if this means all VPNs on the active unit and then when a failure happens all VPNs go over to the standby unit. This isn't what I want.
I have found some documents that talk about setting up a cluster. But I think these documents are telling me not to configure the two ASAs as a active / standby failover pair. Does that make sense?
Anyway - what is the best way to accomplish VPN load balancing? In our setup these ASAs will only be handling VPNs (no firewalling will be done here).
05-27-2009 11:00 AM
An active/standby failover pair configuration will provide for resiliency in the event of a hardware or software failure. One ASA is "Active" while the other is in a "Standby" mode. Config and state information is synchronized between the two devices. Only one ASA services client connections at any given time.
Load balancing, on the other hand, allows you to configure a "cluster" with multiple participants. Each participating ASA can service client connections thus sharing the load. The following doc gives a good overview of load balancing and provides sample configurations.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpnsysop.html#wp1048959
05-27-2009 12:03 PM
Thanks - good information. So to clarify, there is no way to load balance Site to Site VPN tunnels across 2 ASAs (either through active / standby or clustering). It appears that clustering will only load balance remote access VPN user connections using a VPN client. Do I have this right?
Thanks again,
Jim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide