10-28-2022 07:37 AM
We are working on migrating our Anyconnect VPN services from ASA to FTD and have been reading there is native load balancing available on the ASA but not sure if it's ready/available on FTD. Also, we have Kemp load balancers that are possibly available and wondering if we are better off using this, assuming it's supported.
We're also contemplating running the FTD in an HA pair, assuming this is supported, would this be a better solution? It's a fairly small environment with around 500 concurrent connections a day.
Solved! Go to Solution.
01-24-2023 09:35 AM
FTD does support VPN load balancing, but it is not as advanced as the ASA's load balancing capabilities. It uses a simple round-robin method to distribute VPN connections among the available VPN peers. However, if you are looking for more advanced features such as connection persistence, then using a third-party load balancer like Kemp is a good option.
FTD does support High Availability (HA) pairing, which can be used as an alternative to load balancing. This allows you to configure two FTD devices in an active/standby configuration, where one device takes over the VPN traffic if the other device fails. This can provide a more robust and reliable solution for VPN services compared to load balancing.
It's worth noting that you should consult the FTD release notes for the version you are running to confirm the supportability of the features you want to use.
Please rate this and mark as solution/answer, if this resolved your issue
All the best,
AK
10-28-2022 07:41 AM - edited 10-28-2022 07:42 AM
@Chuck Reimer yes, VPN Load Balancing feature is available on FTD (if managed by FMC, not local FDM management). It works the same as ASA VPN Load Balancing. The benefits of VPN Load Balancer feature is you can add additional FTD's to scale out the solution.
In your small environment an Active/Standby HA pair might be a better fit (Active/Standby HA is supported on FTD managed by FMC or FDM).
10-28-2022 07:49 AM
@Rob Ingram How about clustering? This would be on 2110's?
10-28-2022 07:53 AM - edited 10-28-2022 07:54 AM
@Chuck Reimer FTD clustering is only available on 3100/4100/9300 hardware and virtual image.
RAVPN is also not supported on FTD clustering anyway.
01-24-2023 08:37 AM
@Rob Ingram Hope you dont mind me jumping in here but if i have two locations, with 2 x FTDs in HA can i leverage VPN load balancing to load balance between the two HA pairs / the two sites?
Thank you
01-24-2023 08:44 AM
Hi @Liam S you need Layer 2 connectivity between those 2 sites in order to use FTD VPN Load Balancer.
01-25-2023 01:24 PM
@Rob Ingram Hi what license it requires for VPN Load Balancing ? I configured one pair but it does not seem to Load Balance
01-24-2023 09:35 AM
FTD does support VPN load balancing, but it is not as advanced as the ASA's load balancing capabilities. It uses a simple round-robin method to distribute VPN connections among the available VPN peers. However, if you are looking for more advanced features such as connection persistence, then using a third-party load balancer like Kemp is a good option.
FTD does support High Availability (HA) pairing, which can be used as an alternative to load balancing. This allows you to configure two FTD devices in an active/standby configuration, where one device takes over the VPN traffic if the other device fails. This can provide a more robust and reliable solution for VPN services compared to load balancing.
It's worth noting that you should consult the FTD release notes for the version you are running to confirm the supportability of the features you want to use.
Please rate this and mark as solution/answer, if this resolved your issue
All the best,
AK
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: