cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3328
Views
0
Helpful
5
Replies

ASA 5520 VPN load balancing with Active/Standby failover on 2 devices only...

will
Level 3
Level 3

This topic has been beat to death, but I did not see a real answer. Here is configuration:

1) 2 x ASA 5520, running 8.2

2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces

3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration.

4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?

This sounds trivial, but I cannot find a clear answer (without testing this); and many people are confusing the issue. Here are some examples of confusion. These do not apply to my scenario.

Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not

The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?

In any case, any experts out there that can answer question? TIA!

5 Replies 5

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Will,

There is no support for VPN in multicontext so forget about active/active.

Failover pair cannot load balance sessions between each other.

Failover pair can be in load balancing with one or many other units (coincidentally those units can run failover, but they will be seen as one unit from load balancing point of view).

That's the way I understand it. I might be wrong of course.

Marcin

I am testing this right now. In my case, I want A and B are failover pairs with A as the primary, (A+B) together as one member in cluster with other ASAs. Here is what I found out:

1, After the active/standby working, configure the load banlancing in the master, the cluster IP worked.

2, after "no fail ac" in A, cluster IP stopped working. Seems the vpn load banlance configuration wasn't copied over to the standby B.

3, In the active (now it's the secondary B), manually configure vpn load banlancing, then the cluster IP worked.

4, "no fail ac" in the B and make the the primary A active, the cluster IP still worked.

5, after "no fail ac" in A, cluster IP stopped working. show vpn load and found out the load banlance was disabled.

6, "no fail ac" in the B and make the the primary A active, the cluster IP then worked.

Based on above, the secondary B's VPN load banlance will be disabled when B becomes active in failover role. If that's true, these two features can't work together. Or maybe there is some configuration I'm missing. The ASAs are 5510 with 8.4(2)

Thanks,

Rick.

This is a bit older thread, but i cannot recall ever configuring the A/S asa's in a vpn cluster like i originally wanted. So i think the features dont support each other when running simultaneously! hope that helps. One good thing I read is with 8.4, you no longer have to buy 2 sets of SSLVPN licenses and waste 1 set.

Thanks a lot Will.

mfouts
Level 1
Level 1

Wow, some good info posted here (both questions and some answers). I'm in a similar situation with a couple of vpn load-balanced pairs... my goal was to get active-standby failover up and running in each pair- then I ran into this thread and saw the first post about the unique IP addr pools (and obviously we can't have unique pools in an active-standby failover rig where the complete config is replicated). So it would seem that these two features are indeed mutually exclusive. Real nice initial post to call this out.

Now I'm wondering if the ASA could actually handle a single addr pool in an active-standby fo rig- *if* the code supported the exchange of addr pool status between the fo members (so they each would know what addrs have been farmed out from this single pool)? Can I get some feedback from folks on this? If this is viable, then I suppose we could submit a feature request to Cisco... not that this would necessarily be supported anytime soon, but it might be worth a try. And I'm also assuming we might need a vip on the inside int as well (not just on the outside), to properly flip the traffic on both sides if the failover occurs (note we're not currently doing this).

Finally, if a member fails in a std load-balanced vpn pair (w/o fo disabled), the remaining member must take over traffic hitting the vip addr (full time)... can someone tell me how this works? And when this pair is working normally (with both members up), do the two systems coordinate who owns the vip at any time to load-balance the traffic? Is this basically how their load-balancing scheme works?

Anyway, pretty cool thread... would really appreciate it if folks could give some feedback on some of the above.

Thanks much,

Mike