Solved: Load Balancing a clustered ASA group

josephreid · ‎12-16-2016

I have to implement a Remote Access VPN solution. 20,000+ potential concurrent logins. Not being overly familiar with RA VPN (more used to S2S VPN), it's a little out of my comfort zone. I'm thinking of 4 x 5585 ASA ( a pair of ASA in each of the two datacenters), with load balancing. From what I've read so far, L3 is not currently supported across datacenters for a clustered group. If L2 is not possible, what other solutions would be on the table, all while deploying a single connection-profile. Any help would be appreciated. Still at HLD/LLD stage of this, so nothing is concrete at present.

nspasov · ‎12-16-2016

Hi there. Here is my input:

- To start with I would not purchase the ASA 5585-X model. Those FWs are old, expensive and will never run the new/unified code (FDT aka FirePOWER Threat Defense) that combines both the the ASA and the Sourcefire code into one

- The maximum number of VPN peers/clients is 10,000

- Instead, I would suggest looking at the new FirePOWER 4000 series appliances. For instance, the 4140 can support up to 20,000 concurrent VPN clients/peers. Those appliances can either run the FTD or the ASA code. The FTD code is the future but at the moment it does not support RA-VPN, thus you will be running the good old ASA code. They are expensive but so are the 5585-X :) Here is a link for the data sheet for the new 4000 and 9000 series FirePOWER Appliances:

http://www.cisco.com/c/dam/en/us/products/collateral/security/firepower-4100-series/datasheet-c78-736661.pdf

- You are correct, L2 connection is required for VPN load balancing/clustering, thus L3 is not an option

- The best way to load-balance such traffic between two different data centers is through Load-Balancers. I really like and have had great luck with F5s. A pair of those running GTM/LTM will make the solution very elegant

- If load balancers are not an option then you can look at the load balancing function that is available with the AnyConnect client. Keep in mind that it is not a true load balancing method and you can still end up with most of your users hitting up one ASA based on their geo location. For more info on that you can check the thread below:

https://supportforums.cisco.com/discussion/12217606/asa-and-anyconnect-automatically-select-best-server

I hope this helps!

Thank you for rating helpful posts!

View solution in original post

nspasov · ‎12-16-2016

Hi there. Here is my input:

- To start with I would not purchase the ASA 5585-X model. Those FWs are old, expensive and will never run the new/unified code (FDT aka FirePOWER Threat Defense) that combines both the the ASA and the Sourcefire code into one

- The maximum number of VPN peers/clients is 10,000

- Instead, I would suggest looking at the new FirePOWER 4000 series appliances. For instance, the 4140 can support up to 20,000 concurrent VPN clients/peers. Those appliances can either run the FTD or the ASA code. The FTD code is the future but at the moment it does not support RA-VPN, thus you will be running the good old ASA code. They are expensive but so are the 5585-X :) Here is a link for the data sheet for the new 4000 and 9000 series FirePOWER Appliances:

http://www.cisco.com/c/dam/en/us/products/collateral/security/firepower-4100-series/datasheet-c78-736661.pdf

- You are correct, L2 connection is required for VPN load balancing/clustering, thus L3 is not an option

- The best way to load-balance such traffic between two different data centers is through Load-Balancers. I really like and have had great luck with F5s. A pair of those running GTM/LTM will make the solution very elegant

- If load balancers are not an option then you can look at the load balancing function that is available with the AnyConnect client. Keep in mind that it is not a true load balancing method and you can still end up with most of your users hitting up one ASA based on their geo location. For more info on that you can check the thread below:

https://supportforums.cisco.com/discussion/12217606/asa-and-anyconnect-automatically-select-best-server

I hope this helps!

Thank you for rating helpful posts!

josephreid · ‎12-19-2016

Neno,

Thank you for the depth of your response, it has certainly given me much to think about. I will look into the possibility of swapping the 5585-x for firepower, as this may also give us the potential for IPS.

The idea of using dedicated loadbalancing also appeals.

Thanks again

Joe

nspasov · ‎12-19-2016

No problem. Glad I could help! :)

Shakti Kumar · ‎12-17-2016

Hi josephreid ,

If you have 2 datacenters geographically separated then load balancing wouldn't be a wise decision, reason being load balancing serves the purpose of only sharing the connection but is not an advisable solution when it comes to fault tolerant model the best solution I can think of is to use Optimal Gateway resolution using primary and backup server list that will not only provide fault tolerant solution but will also distribute the connection based on the geography .

So the idea behind using OGS is that Anyconnect chooses the best ASA based on reachability. If you have any doubts feel free to contact me on shaktiku@cisco.com or post your query here .

Mark the answer correct if helpful

Thanks

Shakti

nspasov · ‎12-17-2016

I am going to have to disagree with you Shakti. Optimal Gateway Selection is an OK feature that does an OK job but it cannot compare to a true load balancing solution such as F5's GTM/LTM. With a real load-balancing solution the selection of the Optimal Gateway can be configured based on many different and intelligent attributes while AnyConnect's OGS is based on simple ping and latency factor.

Just my 2 cents.

Thank you for rating helpful posts!