07-26-2011 08:40 AM
Hello all.
We have two asa5520 configured as primary and standby unit in failover configuration, and all is working properly.
Is it possible, with this configuration (failover), to configure vpn load balancing/clustering?
Thanks
Daniele
Solved! Go to Solution.
07-27-2011 01:57 AM
Hi Daniele,
You cannot run both of them on two ASA firewalls, either failover feature or VPN load balancing feature.
In case you need to use both feature you have to use more than three ASA firewalls, first two ASAs will work as Failover and the third ASA will work as VPN cluster for them, the following example using four firewalls:
ASA1(FO Active)------------------------------------------------------ASA2(FO Standby)
(VPN Virtual Master)
|
|
|
|
(VPN backup device)
ASA3(FO Active)------------------------------------------------------ASA4(FO Standby)
Regards,
Wajih
07-27-2011 02:39 AM
Daniele
I am sorry that you did not understand my reply to your question. So let me try to explain it in a different way. With just two ASAs load balancing and failover are mutually exclusive. You can do load balancing OR you can do failover but you can not do both.
HTH
Rick
Sent from Cisco Technical Support iPhone App
07-26-2011 09:07 AM
Daniele
With 2 ASAs you can do either failover or load balancing but not both.
To do load sharing both ASAs must be active. But to run active/active failover requires multi context mode and that does not support VPN.
So one or the other but not both of failover or load balance.
HTH
Rick
07-27-2011 12:07 AM
Sorrry but I don't understand.
To do vpn load sharing I need context and, obviously, vpn, but if I enable context I can't enable vpn, and if I enable vpn I can't enable context...
If this is correct, it's impossible to configure vpn load balancing...
Instead, like I suppose, it's possible, I don't enable multicontext configuration and configure vpn, but I can't understand how to configure failover (to sync configurations) and vpn load balancing.
Thanks
Daniele
>> To do load sharing both ASAs must be active. But to run active/active failover requires multi context mode and that
>> does not support VPN.
>>
>> So one or the other but not both of failover or load balance.
02-08-2012 11:11 AM
Hi Wajih,
I am testing this right now. In my case, I want A and B are failover pairs with A as the primary, (A+B) together as one member in cluster with other ASAs C and D. Here is what I found out:
1, After the active/standby working, configure the load banlancing in the master, the cluster IP worked.
2, after "no fail ac" in A, cluster IP stopped working. Seems the vpn load banlance configuration wasn't copied over to the standby B.
3, In the active (now it's the secondary B), manually configure vpn load banlancing, then the cluster IP worked.
4, "no fail ac" in the B and make the the primary A active, the cluster IP still worked.
5, after "no fail ac" in A, cluster IP stopped working. show vpn load and found out the load banlance was disabled.
6, "no fail ac" in the B and make the the primary A active, the cluster IP then worked.
Based on above, the secondary B's VPN load banlance will be disabled when B becomes active in failover role. If that's true, these two features can't work together. Or maybe there is some configuration I'm missing -- maybe having C or D as the cluster master will help. The ASAs are 5510 with 8.4(2)
Thanks,
Rick.
09-27-2019 08:21 PM
Hi,
After many years of this test I'm facing exactly the same scenario, 2 failover asa pairs with VPN load balancing. Now with ASA version 9.8.
According to these tests, when one of the units fails over, the virtual ip stops responding? Does anyone have done this test with newer versions to verify this behavior?
Many thanks in advance.
James
04-14-2020 05:21 PM
I'm in the same scenario right now where I don't know what to do. It's either the ASA is in Active/Standby or Load-balanced...and I really need both to function. Did you figure out how to get it to work?
04-14-2020 06:45 PM
Hi,
We finally had to open the architecture in two pairs of firewalls in load balancing configuration. But, according to the theory, with 4 firewalls (2 pair of failover sets) load balancing should work. Pay special attention to the key exchange configuration.
04-14-2020 07:35 PM
so I have 2 ASAs. If i configure VPN load-balancing between them 2, and if the master goes down, will the secondary just start picking up the connections? Because I notice in the configs online that the outside interface is a VIP. So if the master goes down, now the connection will be routed to the secondary...
07-27-2011 01:57 AM
Hi Daniele,
You cannot run both of them on two ASA firewalls, either failover feature or VPN load balancing feature.
In case you need to use both feature you have to use more than three ASA firewalls, first two ASAs will work as Failover and the third ASA will work as VPN cluster for them, the following example using four firewalls:
ASA1(FO Active)------------------------------------------------------ASA2(FO Standby)
(VPN Virtual Master)
|
|
|
|
(VPN backup device)
ASA3(FO Active)------------------------------------------------------ASA4(FO Standby)
Regards,
Wajih
02-20-2018 05:53 PM
Hello has anyone ever tested 2 failover pairs with VPN LB between them?
07-27-2011 02:39 AM
Daniele
I am sorry that you did not understand my reply to your question. So let me try to explain it in a different way. With just two ASAs load balancing and failover are mutually exclusive. You can do load balancing OR you can do failover but you can not do both.
HTH
Rick
Sent from Cisco Technical Support iPhone App
07-28-2011 01:25 AM
Thanks for all your clarification.
Only a last question:
how can we mantain synced configurations on two different asa configured for load balancing?
Daniele
07-28-2011 05:13 AM
Daniele
With ASAs in a load balancing cluster there is not an automatic way to maintain sync between configs. Keeping the configs in sync must be done manually.
HTH
Rick
03-11-2020 04:30 AM
Ok, obviously we have this global virus thing going on at the moment.
I use ASA5555-X HA pairs for two internet pops.
Licensing is maxed out, IP address pools limit connections to 4000 per HA pair, but there's a possibility we could need more than the 700Mbps throughput for vpns per HA pair.
I could add another 5555-X HA pair and let AnyConnect (IKEv2 IPSEC) choose an alternate HA pair but ideally it would be more user friendly to use load balancing.
So would this work?
2 HA pairs load balancing with each other?
03-11-2020 06:25 AM
Hi,
So you have two pairs of ASA's, with pairs running in active/standby failover, right? And you want to do VPN load-balancing between the two pairs of ASA's, right? Yes, it is supported, to avoid running into issues, run same ASA code on both HA pairs.
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide