cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1918
Views
20
Helpful
10
Replies

Cisco Fpr2130-Asa-k9 cluster for VPN SSL And Site to site VPN

ifabrizio
Level 3
Level 3

Dear All,

 

I am plannig to cluster two Cisco FPR2130-asa-k9 to maximize the througtput for my remote VPN users(Anyconnect).

Is it possible? I see that old Asa5520 with 9.1 doesn't support vpn if cluster is in place.

 

BR,

JF.

3 Accepted Solutions

Accepted Solutions

Hi Cristian,

 

Thanks for your quick reply.

So also create a cluster should be possible, to perform VPN load balance?

View solution in original post

10 Replies 10

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

   1. Are you speaking about Clustering for High Availability or about VPN Load Balancing?

   2. Are you speaking about S2S VPN's or remote access VPN's?

 

Regards,

Cristian Matei.

Marvin Rhoads
Hall of Fame
Hall of Fame

Thanks Marvin,

 

There are another way to load balance remote users VPN on the two 2130?

VPN Load Balancing.

Like @Cristian Matei said, VPN load balancing is the most common method for appliances with ASA image. (It's not supported on FTD image.)

Another method is round robin DNS.

If you have a load balancer or "application delivery controller (ADC)" like Citrix Netscaler or F5 BigIP you may be able to put your ASAs behind it and to load balancing on the ADC.

Also, depending on your deployment, Optimal Gateway Selection (OGS) is a potential option. That one is usually for organizations with their ASAs spread out in different locations geographically.

Hi,

 

  @Marvin Rhoads Thanks for the additional solutions. As a general fact (from experience with OGS), unless you really have geographically dispersed VPN gateways (in which case OGS becomes an option to be considered), VPN Load Balancing is a much simpler and more functional/stable solution, with less headaches.

 

Regards,

Cristian Matei.

Hi Marvin,

 

Ok it is clear for me thank you.

But the 2130 that I own do not has a FTD Image, they are Fpr2130-Asa-k9 so ,should have "standard" Asa Image, is it true?

 

Bye

Igor.

Hi,

 

   Correct, you run ASA on the 2100 HW. And all presented options are valid: VPN load balancing (configuration performed on the ASA), DNS based balancing (you would need a balancer in front of your ASA's), AnyConnect OGS (AnyConnect decides on which ASA will terminate the session).

 

Regards,

Cristian Matei.

Hi Cristian,

 

Thanks for your quick reply.

So also create a cluster should be possible, to perform VPN load balance?

Review Cisco Networking for a $25 gift card