Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1455
Views
16
Helpful
6
Replies

VPN load balancing and ASA !!!

Fernando_Meza
Level 7
Level 7

‎06-07-2007 04:47 PM - edited ‎02-21-2020 03:05 PM

Hi netpros,

I have a couple of questions about this and hope you might be able to assist me.

1.- Are VPN load balancing and failover (Active/Active) mutually exclusive ..? I mean they can't be used at the same time correct ..?

2.- How does the ASA handle the return traffic from the Internal LAN towards the remote client .. Because the cluster only requires ONE public virtual IP address, which will work for incoming packets .. but what about the return traffic which has knowledge of the DHCP scope's default gateway IP address only .. ? How gets the returned packet redirected from the default gateway IP address to the respective ASA internal IP address .?

3.- VPN load balancing only applies to remote clients using easy VPN technology (easy vpn client, hardware client , pIX using easy vpn client etc ) and does not work with static LAN-LAN tunnel .. correct ..?

Your comments are much appreciated

Labels:
0 Helpful
6 Replies 6

ggilbert
Cisco Employee
Cisco Employee

‎06-08-2007 06:24 AM

Fernando,

1. You are correct - They cant be used at the same time.

2. When the VPN client connects to the Virtual IP address, the connection is sent to the active ASA by re-directing the connection of the client to the correct IP address of the active ASA. So, when the connection gets established its really to the active ASA external IP address.

Hope this helps.

Cheers

Gilbert

Fernando_Meza
Level 7
Level 7
In response to ggilbert

‎06-09-2007 02:27 AM

Hi Gilbert ..

1.- Thanks I wanted to make sure.

2.- I know that .. my question is in regards the return packets .. for example if I have the below IP schema:

ASA1: Public 20.20.20.20

Private 192.168.1.1

ASA2: Public 20.20.20.21

Private 192.168.1.2

Cluster virutal IP: 20.20.20.10

Default gateway for segment 192.168.1.0 is 192.168.1.1

Let's say that a vpn client tries to connect and the cluster instructs the client to connect to ASA2 20.20.20.21. The packets reach the internal server at 192.168.1.100. The internal server then sends the return packets back to the client by forwarding them to its default gateway which is 192.168.1.1 (ASA1). Here is my question .. how does the cluster handles this because the return packet are supposed to be directed to ASA2 192.168.1.2

3.- Any idea about this one ..?

Cheers,

0 Helpful

ggilbert
Cisco Employee
Cisco Employee
In response to Fernando_Meza

‎06-11-2007 01:15 PM

2. You have to do "reverse-route injection"

So, there should be some kind of a routing device on the internal network that can run OSPF or RIP and your clients IP address will be populated correctly to the ASA that is terminating the connection.

3. Only Remote access.

Cheers,

Gilbert

DALI WANG
Level 1
Level 1
In response to ggilbert

‎07-27-2007 06:06 AM

Hi Glibert, as we know ASA code 8.0 start supporting EIGRP. Can ASA use EIGRP for Reverse-route Injection with downsteam routers who run EIGRP also?

thanks,

David

0 Helpful

netsec123
Level 1
Level 1
In response to DALI WANG

‎08-10-2007 08:17 PM

Hi guys. We, too are trying to use Failover VPN tunnels. When the first ISP goes down, we are using the TRACK command to use the 2nd ISP. HOWEVER, when that occurs we cannot see the 2nd tunnel [backup tunnel] come up to the remote peer. :( Any ideas?

0 Helpful

kloc_marek
Level 1
Level 1
In response to ggilbert

‎01-29-2008 12:50 PM

2. You can create two separate ip pools for each ASA boxes, and then set up appropriate routing on inside hosts(or router if apply) for return traffic.

Cheers,

mk

Customers Also Viewed These Support Documents
Top