cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1719
Views
10
Helpful
7
Replies

VPN Load Balancing on FTD

Chuck Reimer
Level 1
Level 1

We are working on migrating our Anyconnect VPN services from ASA to FTD and have been reading there is native load balancing available on the ASA but not sure if it's ready/available on FTD. Also, we have Kemp load balancers that are possibly available and wondering if we are better off using this, assuming it's supported.

We're also contemplating running the FTD in an HA pair, assuming this is supported, would this be a better solution? It's a fairly small environment with around 500 concurrent connections a day.

1 Accepted Solution

Accepted Solutions

khorram1998
Level 1
Level 1

FTD does support VPN load balancing, but it is not as advanced as the ASA's load balancing capabilities. It uses a simple round-robin method to distribute VPN connections among the available VPN peers. However, if you are looking for more advanced features such as connection persistence, then using a third-party load balancer like Kemp is a good option.

FTD does support High Availability (HA) pairing, which can be used as an alternative to load balancing. This allows you to configure two FTD devices in an active/standby configuration, where one device takes over the VPN traffic if the other device fails. This can provide a more robust and reliable solution for VPN services compared to load balancing.

It's worth noting that you should consult the FTD release notes for the version you are running to confirm the supportability of the features you want to use.

Please rate this and mark as solution/answer, if this resolved your issue
All the best,
AK

View solution in original post

7 Replies 7

@Chuck Reimer yes, VPN Load Balancing feature is available on FTD (if managed by FMC, not local FDM management). It works the same as ASA VPN Load Balancing. The benefits of VPN Load Balancer feature is you can add additional FTD's to scale out the solution.

In your small environment an Active/Standby HA pair might be a better fit (Active/Standby HA is supported on FTD managed by FMC or FDM).

Chuck Reimer
Level 1
Level 1

@Rob Ingram How about clustering? This would be on 2110's?

@Chuck Reimer FTD clustering is only available on 3100/4100/9300 hardware and virtual image.

RAVPN is also not supported on FTD clustering anyway.

@Rob Ingram Hope you dont mind me jumping in here but if i have two locations, with 2 x FTDs in HA can i leverage VPN load balancing to load balance between the two HA pairs / the two sites?

Thank you

Hi @Liam S you need Layer 2 connectivity between those 2 sites in order to use FTD VPN Load Balancer.

@Rob Ingram Hi what license it requires for VPN Load Balancing ? I configured one pair but it does not seem to Load Balance

khorram1998
Level 1
Level 1

FTD does support VPN load balancing, but it is not as advanced as the ASA's load balancing capabilities. It uses a simple round-robin method to distribute VPN connections among the available VPN peers. However, if you are looking for more advanced features such as connection persistence, then using a third-party load balancer like Kemp is a good option.

FTD does support High Availability (HA) pairing, which can be used as an alternative to load balancing. This allows you to configure two FTD devices in an active/standby configuration, where one device takes over the VPN traffic if the other device fails. This can provide a more robust and reliable solution for VPN services compared to load balancing.

It's worth noting that you should consult the FTD release notes for the version you are running to confirm the supportability of the features you want to use.

Please rate this and mark as solution/answer, if this resolved your issue
All the best,
AK

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: