Hi everyone,
I was helping some friends and they were trying to solve a scalable VPN issues, specially these days with the pandemic situation.
I recommended to implement ASA VPN Load-Balancing.
This will allow to keep 1 FQDN for all RA-VPN users and let all ASA devices behind that VIP to load-balance users across all ASAs.
Also the advantage is to deploy a new ASA, integrate it into this VPN Cluster and it will participate in the load-balancing of VPN users.
There are some limitations, like not working for multiple-contexte, only works for 1 outside SSL VPN (so if you have multiple SSLVPN outside interface, you won't be able to load-balance all VPNs..). Documentation can be found: https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/configuration/vpn/asa-913-vpn-config/vpn-ha.html?bookSearch=true#ID-2186-00000429
You can mix ASA hardwares and versions, it will still work. This means, if you have 2 ASAs hosting VPN clients and you need to deploy one or more ASAv during this period to host more clients, just do the staging, integrate it into your cluster and your clients will be automatically load-balanced.
I won't go through ASA SSL VPN connection as it is something already known and well documented.
I will share CLI config to activate the VPN Load-Balancing feature. (Of course, it could be done through ASDM by going into Remote Access menu and then VPN Load-Balancing).
Each ASA must have their own IP Pool, this can't be shared across all ASAs.
You'll need to create a type A and PTR DNS entry for your VIP and each ASA outside IP. Load-balancing VIP will redirect users to the less loaded ASA using fqdn (redirect-fqdn enable) or using IP if you don't have this command. However, redirecting using IP will result in certificate error popup window message. Your public certificate will need to have all type A dns (fqdns) including VIP fqdn and each ASA fqdn.
XML Profile will need to have the new VIP fqdn instead of ASA real IP fqdn.
Now ASA CLI config: (this config will need to be done on each ASA member. only the priority will change on each of them and maybe the names of interfaces if not standard across all your ASAs)
crypto ikev1 enable inside ==> This will need to be enable when doing cluster encryption
!
vpn load-balancing
redirect-fqdn enable
priority 10 ==> Higher priority will be elected as Master
interface lbpublic outside ==> outside = nameif of your internet interface
interface lbprivate inside ==> inside = nameif of your LAN interface
cluster key cisco ==> Password for cluster encryption
cluster ip address 172.16.2.12 ==> VIP Outside
cluster encryption
cluster port 4000 ==> Port UDP used to build the VPN cluster between ASAs (default port is 9023)
participate ==> Enable the ASA to participate in the VPN Cluster
Example of show command to see the vpn load-balancing status and all members:
ciscoasa# sh vpn load-balancing
--------------------------------------------------------------------------
Status Role Failover Encryption Peers Cluster IP
--------------------------------------------------------------------------
Enabled Master n/a Enabled 1 172.16.2.12
Peers:
--------------------------------------------------------------------------
Role Pri Model Load-Balancing Version Public IP
--------------------------------------------------------------------------
Master 10 ASA-VASA 4 172.16.2.10*
Backup 2 ASA-VASA 4 172.16.2.11
Total License Load:
--------------------------------------------------------------------------
AnyConnect Premium/Essentials Other VPN Public IP
----------------------------- ---------------------
Limit Used Load Limit Used Load
--------------------------------------------------------------------------
250 0 0% 250 0 0% 172.16.2.10*
250 1 0% 250 0 0% 172.16.2.11
Licenses Used By Inactive Sessions :
--------------------------------------------------------------------------
AnyConnect Premium/Essentials Inactive Load Public IP
--------------------------------------------------------------------------
0 0% 172.16.2.10*
1 0% 172.16.2.11