Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
572
Views
5
Helpful
1
Replies

ASA VPN Load Balancing Questions

jackfait1
Level 1
Level 1

‎02-19-2019 09:43 AM

The company where I work currently has a Primary/Standby ASA configuration for our employee VPN. However, I have recently set up load balancing in a test lab. For performance reasons, we would like multiple ASAs to share the VPN traffic load. When the ASA that AnyConnect has the tunnel established to, is disconnected, the AnyConnect client sits at connecting till you manually disconnect and then reconnect to the other load balanced ASA. Is this normal or should the AnyConnect client automatically find the other load balanced ASA and reconnect automatically? Is there a way to replicate ASA config in a load balanced setting? Would a combination of load balancing with Primary/Standby be a better solution? I appreciate the input.

The test lab I have ASA 5520s and our main ASAs are 5545-X

 

Thanks

 

Labels:
0 Helpful
1 Reply 1

Rahul Govindan
VIP Alumni
VIP Alumni

‎02-20-2019 06:05 AM

This is expected AFAIK. The redirect only happens at the initial connection attempt, when the master redirects the connection to a slave (or itself) based on the load. Once this is done, the connection is essentially between the client and that slave ASA alone. When the disconnect of the ASA happens, the AnyConnect only tries to reconnect to the last connected ASA. 

 

There is no way to config sync among load balanced ASA's. Also you cannot have Active/Standby pair as also load balanced nodes, they would only act as one of the nodes. So you can have 2 pairs of Active/Standby devices which results in 2 nodes in Load balancing. 

Customers Also Viewed These Support Documents