Re: Concurrent anyconnect sessione for fpr1140-asa in load balancing

l.buschi · ‎07-11-2024

Hello, I need a couple of firewall to manage up to 1500 concurrent anyconnect connections.

the firewall need only to manage anyconnect remote access.

may I use a couple of FPR1140-ASA or FPR-1150 in load balancing?
I would not configure them in failover.

what if one of the two firewalls fails? Is the other still capable to manage half of the total connections?
many tks

could it be also possible to configure the couple in failover and still have load balancing from both the firewall?

Many tks

Johnny

MHM Cisco World · ‎07-11-2024

Are FTD HA?

MHM

Rob Ingram · ‎07-11-2024

@l.buschi VPN Load Balancing supports 2 or more devices (up to 10) and all devices are active, with users connecting to the least loaded device. The maximum number of sessions that a load balancing group can support is the total of the number of sessions for each of the devices in the group. The FPR1140 supports a maximum of 400 VPN peers and the FPR1150 800 peers. You would need 2 x FPR1150 to meet your 1500 concurrent user requirement or 4 x FPR1140.

If a VPN load balancing group member device fails you would lose capability, so if you had 2 x FPR1150 and one fails only 800 users could connect until you replace the hardware. You would either need to account for this with an additional device(s) in the VPN load balancer group or instead configure an HA failover pair, in which case you should look at the FPR 2110/2120 to support 1500+ CCU.

ASA VPN Load Balancing - https://integratingit.wordpress.com/2020/03/14/asa-vpn-load-balancing/
FTD VPN Load Balancing - https://integratingit.wordpress.com/2021/06/13/ftd-vpn-load-balancing/

tiwang · ‎07-12-2024

we are running a couple of ASA's on FP2120 hw in a HA setup - the active is daily supporting around anyconnect 1000 users and is running more or less idle - i think you should look at a ASA setup instead