Solved: Re: ASA Vpn load balancing and failover

dimensyssrl · ‎07-26-2011

Hello all.

We have two asa5520 configured as primary and standby unit in failover configuration, and all is working properly.

Is it possible, with this configuration (failover), to configure vpn load balancing/clustering?

Thanks

Daniele

walsaid · ‎07-27-2011

Hi Daniele,

You cannot run both of them on two ASA firewalls, either failover feature or VPN load balancing feature.

In case you need to use both feature you have to use more than three ASA firewalls, first two ASAs will work as Failover and the third ASA will work as VPN cluster for them, the following example using four firewalls:

ASA1(FO Active)------------------------------------------------------ASA2(FO Standby)

(VPN Virtual Master)

|

(VPN backup device)

ASA3(FO Active)------------------------------------------------------ASA4(FO Standby)

Regards,

Wajih

View solution in original post

Richard Burts · ‎07-27-2011

Daniele

I am sorry that you did not understand my reply to your question. So let me try to explain it in a different way. With just two ASAs load balancing and failover are mutually exclusive. You can do load balancing OR you can do failover but you can not do both.

HTH

Rick

Sent from Cisco Technical Support iPhone App

HTH

Rick

View solution in original post

Richard Burts · ‎07-26-2011

Daniele

With 2 ASAs you can do either failover or load balancing but not both.

To do load sharing both ASAs must be active. But to run active/active failover requires multi context mode and that does not support VPN.

So one or the other but not both of failover or load balance.

HTH

Rick

HTH

Rick

dimensyssrl · ‎07-27-2011

Sorrry but I don't understand.

To do vpn load sharing I need context and, obviously, vpn, but if I enable context I can't enable vpn, and if I enable vpn I can't enable context...

If this is correct, it's impossible to configure vpn load balancing...

Instead, like I suppose, it's possible, I don't enable multicontext configuration and configure vpn, but I can't understand how to configure failover (to sync configurations) and vpn load balancing.

Thanks

Daniele

>> To do load sharing both ASAs must be active. But to run active/active failover requires multi context mode and that

>> does not support VPN.

>>

>> So one or the other but not both of failover or load balance.

yuzhao · ‎02-08-2012

Hi Wajih,

I am testing this right now. In my case, I want A and B are failover pairs with A as the primary, (A+B) together as one member in cluster with other ASAs C and D. Here is what I found out:

1, After the active/standby working, configure the load banlancing in the master, the cluster IP worked.

2, after "no fail ac" in A, cluster IP stopped working. Seems the vpn load banlance configuration wasn't copied over to the standby B.

3, In the active (now it's the secondary B), manually configure vpn load banlancing, then the cluster IP worked.

4, "no fail ac" in the B and make the the primary A active, the cluster IP still worked.

5, after "no fail ac" in A, cluster IP stopped working. show vpn load and found out the load banlance was disabled.

6, "no fail ac" in the B and make the the primary A active, the cluster IP then worked.

Based on above, the secondary B's VPN load banlance will be disabled when B becomes active in failover role. If that's true, these two features can't work together. Or maybe there is some configuration I'm missing -- maybe having C or D as the cluster master will help. The ASAs are 5510 with 8.4(2)

Thanks,

Rick.

jaime.pedraza · ‎09-27-2019

Hi,

After many years of this test I'm facing exactly the same scenario, 2 failover asa pairs with VPN load balancing. Now with ASA version 9.8.

According to these tests, when one of the units fails over, the virtual ip stops responding? Does anyone have done this test with newer versions to verify this behavior?

Many thanks in advance.

James

Amafsha1 · ‎04-14-2020

I'm in the same scenario right now where I don't know what to do. It's either the ASA is in Active/Standby or Load-balanced...and I really need both to function. Did you figure out how to get it to work?

jaime.pedraza · ‎04-14-2020

Hi,

We finally had to open the architecture in two pairs of firewalls in load balancing configuration. But, according to the theory, with 4 firewalls (2 pair of failover sets) load balancing should work. Pay special attention to the key exchange configuration.

Amafsha1 · ‎04-14-2020

so I have 2 ASAs. If i configure VPN load-balancing between them 2, and if the master goes down, will the secondary just start picking up the connections? Because I notice in the configs online that the outside interface is a VIP. So if the master goes down, now the connection will be routed to the secondary...

walsaid · ‎07-27-2011

Hi Daniele,

You cannot run both of them on two ASA firewalls, either failover feature or VPN load balancing feature.

In case you need to use both feature you have to use more than three ASA firewalls, first two ASAs will work as Failover and the third ASA will work as VPN cluster for them, the following example using four firewalls:

ASA1(FO Active)------------------------------------------------------ASA2(FO Standby)

(VPN Virtual Master)

|

(VPN backup device)

ASA3(FO Active)------------------------------------------------------ASA4(FO Standby)

Regards,

Wajih

mattmar · ‎02-20-2018

Hello has anyone ever tested 2 failover pairs with VPN LB between them?

Richard Burts · ‎07-27-2011

Daniele

I am sorry that you did not understand my reply to your question. So let me try to explain it in a different way. With just two ASAs load balancing and failover are mutually exclusive. You can do load balancing OR you can do failover but you can not do both.

HTH

Rick

Sent from Cisco Technical Support iPhone App

HTH

Rick

dimensyssrl · ‎07-28-2011

Thanks for all your clarification.

Only a last question:

how can we mantain synced configurations on two different asa configured for load balancing?

Daniele

Richard Burts · ‎07-28-2011

Daniele

With ASAs in a load balancing cluster there is not an automatic way to maintain sync between configs. Keeping the configs in sync must be done manually.

HTH

Rick

HTH

Rick

nmfoxton · ‎03-11-2020

Ok, obviously we have this global virus thing going on at the moment.

I use ASA5555-X HA pairs for two internet pops.

Licensing is maxed out, IP address pools limit connections to 4000 per HA pair, but there's a possibility we could need more than the 700Mbps throughput for vpns per HA pair.

I could add another 5555-X HA pair and let AnyConnect (IKEv2 IPSEC) choose an alternate HA pair but ideally it would be more user friendly to use load balancing.

So would this work?

2 HA pairs load balancing with each other?

Cristian Matei · ‎03-11-2020

Hi,

So you have two pairs of ASA's, with pairs running in active/standby failover, right? And you want to do VPN load-balancing between the two pairs of ASA's, right? Yes, it is supported, to avoid running into issues, run same ASA code on both HA pairs.

Regards,

Cristian Matei.