cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
997
Views
0
Helpful
5
Replies

VPN Load Balancing

Murugank
Level 1
Level 1

I have ASA5510 with HA pair (Active/Stanby). I have 250 vpn peer licenses on each ASA but currently is using only Active ASA.

 

ASA-Pri

outside:12.4.0.1

inside: 10.1.10.1

ASA-Sec

outside:12.4.0.2

inside:10.1.10.2

 

fqdn:vpn.abc.com

 

I have VPN user connecting from outside to RA-VPN using 12.4.0.1, now i would like to apply the vpn -load balancing on the my project.

 

I have checked few documentation and understood

vpn load-balancing
Cluster ip address 192.168.51.76
cluster key cisco123
cluster encryption
priority 3
redirect-fqdn enable
participate

 

On this remote user wants to connect to RA-VPN then they need to connect to Cluster i 192.168.51.76.

 

Here is my question

Does both ASA outside ip (12.4.0.1 & 12.4.0.2) accessible from outside internet?

What DNS entry that need to be placed on domain abc.com?

why are we connecting to cluster ip?

Does any configuration change required in router?

5 Replies 5

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

  

   1. Does both ASA outside ip (12.4.0.1 & 12.4.0.2) accessible from outside internet? Yes, as sessions will be terminated on both ASA's

   2. What DNS entry that need to be placed on domain abc.com? Three DNS entries, one for the cluster, and one for each of the two ASA's FQDN

   3. why are we connecting to cluster ip? So that the sessions could be load-balanced, you connect to the VIP and afterwards redirected to another ASA or not

   4. Does any configuration change required in router? I'm not sure which router you're speaking about. maybe a router in front of the ASA's? If so, you'll nee to ensure that you allow traffic from the Internet to all three IP's of the ASA's, as you currently have without the vpn cluster (UDP 500, UDP 4500, UDP/TCP 443, depending on the VPN type, SSL or IKE)

 

Here's a good document to guide you with the certificate provisioning, and here's a configuration example.

 

Regards,

Cristian Matei.

Does load balancing work when the ASA-Sec on standby mode?

 

 

Then Virtual IP should be configured in all ASA of the cluster member and we need make sure the All outside interface IP & Virtual IP should be allowed to access it from the internet.

Hi,

 

   Correct for Internet access. In a HA pair of ASA, the standby device can never forward any traffic. So to configure and achieve VPN load-balancing you would need two standalone ASA's (not in HA), or two HA pairs (4 ASA's in total), or one ASA and one HA pair (3 ASA's in total).

 

Regards,

Cristian Matei.

Does my Virtual IP also should be in the same subnet?

If i break the HA pair,does the other traffic will be impacted?

Hi,

 

   Yes, the VIP needs to be in the same subnet. If you break the HA pair, and have two independent ASA's, you'll be able to configure VPN load-balancing, but you'll no longer have HA; the traffic through the firewalls can still work, with appropriate routing and failover at the routing level, not at the ASA level.

 

Regards,

Cristian Matei.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: