cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
765
Views
0
Helpful
4
Replies

Handling Internal Pools with VPN Load Balancing

a-ford
Level 1
Level 1

Hi,

I have 2 5540's with 2500 SSL VPN licenses each. I anticipate around 3000 concurrent users and thus am planning to use the built in load balancing. However, I am unsure how to handle IP assignment. I had planned on using an internal pool for IP assignment (172.17.0.0/18). Do I break this into 2 smaller pools and assign one to each ASA and then static route to each one or do I put the identical pool on each and they coordinate and proxy arp?

Thanks,

Adam Ford

4 Replies 4

Not applicable

To implement load balancing, you group together logically two or more ASA on the same private LAN-to-LAN network, private subnet, and public subnet into a virtual cluster.

The virtual cluster appears to outside clients as a single virtual cluster IP address. This IP address is not tied to a specific physical device.

Load-balancing ensures that the Virtual cluster IP address is highly available to users. For example, if the Cisco ASA that services the Virtual cluster IP address fails, another ASA in the cluster assumes the Virtual cluster IP address.

Refer this doc:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/vpn/vpnsysop.htm#wp1048959

I have the same question " Do I break this into 2 smaller pools and assign one to each ASA and then static route to each one or do I put the identical pool on each and they coordinate and proxy arp?" ... doesn't look like this was answered yet.  Anyone have a recommendation

?  I have three VPNs that I want to share the address pool:

      ip local pool VPNPOOL 10.14.148.20-10.14.149.245 mask 255.255.254.0

Do I use the same pool on each ASA, or carve up the pool so that each ASA has it's own individual, non-overlapping pool to assign to clients?

The simple way is to divide your pool into segments and then static route those small segments to each ASA, the cool way to do it is enable ospf, rip or eigrp and do dynamic routing using reverse route injection with your L3 switch/router infrastructure.

oblomberg
Level 1
Level 1

The simplest answer is, you must break up your pools between the two devices, if not, the load balanced cluster will hand out duplicate IPs.  There is no intelligence in the assigned of IP addresses to clients attaching to the load balanced pair.  I have asked Cisco engineers if there is enough intelligence to realize that all of the IP addresses in a pool for a group are used on one device, then no more clients will be balanced to that device, but I do not believe so. 

The necessity for unique IP pools in not documented until the 8.2 release of the software, though it is present in the 7.X and 8.X.