Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
295
Views
1
Helpful
8
Replies

VPN Load balancing (Design)

Go to solution
Michael Bartholomæussen
Level 1
Level 1

‎09-26-2024 07:39 AM

Hi All,

We're about to re-design our AnyConnect remote access solution, moving from a pair of FTD 1140 in HA (they are a part of a branch office), to something that can provide more bandwidth to our users. It's a business requirement, so I won't argue.

So far it's been the talks have been around a new pair of 3105 in a VPN load balancing setup. Going through the documentation, there's not note any caveats by doing so (https://docs.defenseorchestrator.com/cdfmc/c_configuring_vpn_loadbalancing.html)

The 3105 is noted to have 3.2 Gbps throughput for TLS, and in a VPN LB setup I would double that. In a DR scenario, half the throughput will be acceptable. We also require to enable next-gen firewall features.

I'd like to hear from experience about building a VPN head-end, mainly when it comes to HA/Cluster/VPN LB setups?

Cheers,

Michael

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎09-26-2024 08:02 AM

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-asa/221691-configure-vpn-client-load-balance-with-d.html

I think this what you need 

Round Robin dns to make some host use fw1 and other use fw2

MHM

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Rob Ingram
VIP
VIP

‎09-26-2024 07:54 AM

@Michael Bartholomæussen if you only have a pair of 3105 appliances, HA failover pair might suffice, in that scenario the users will only connnect to the active appliance, the other appliance is not servicing any users until a failover event occurs. If the active appliance fails, the users will automatically failover to the secondary appliance which becomes active.

If using VPN Load Balancing you get to use both appliances at the sametime, in the event of one appliance failing the users do not automatically failover to the other appliance, they must disconnect and reconnect. You can also scale out easily, adding more appliances to the VPN load balance cluster if/when required. Use a wildcard or multi domain certificate. Configuration is pretty straight forward - https://integratingit.wordpress.com/2021/06/13/ftd-vpn-load-balancing/

 

Go to solution
Michael Bartholomæussen
Level 1
Level 1
In response to Rob Ingram

‎09-26-2024 11:18 PM

It would be acceptable if a cluster member fails and the client need to reconnect, my concern is the capacity. And scaling is certainly desirable if we require. Do you have any thoughts on using the 1150 instead - it's cheaper than the 3105, but performance wise it's not as capable.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Michael Bartholomæussen

‎09-26-2024 11:31 PM

@Michael Bartholomæussen the FPR1150 supports a maximum of 800 VPN peers, the 3105 is newer architecture and supports a maximum of 2000 peers and also has crypto accelerator for VPN traffic.

If you use VPN Load Balancing you can just add more devices to support more users to scale out if required, so if using the 1150 hardware you may need a lot of appliances to support the number of concurrent users compared to the 3100 series hardware.

Ultimately it would depend on how many concurrent users your hardware needs to support

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎09-26-2024 08:02 AM

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-asa/221691-configure-vpn-client-load-balance-with-d.html

I think this what you need 

Round Robin dns to make some host use fw1 and other use fw2

MHM

0 Helpful

Go to solution
Michael Bartholomæussen
Level 1
Level 1
In response to MHM Cisco World

‎09-26-2024 11:14 PM

Is the cluster LB functionality only bound to a DNS round robin now - I recall seeing a line mentioning a master/slave setup?

0 Helpful

Go to solution
Michael Bartholomæussen
Level 1
Level 1

‎09-26-2024 11:23 PM

One design decision we are discussing, is to use our existing WAN firewall pair as remote access head-end. If we consider remote access users as a "branch". Our WAN layer terminates VPN and MPLS connections from other remote branches, co-los, and certain collaboration partners. Any pros/cons towards this topic?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Michael Bartholomæussen

‎09-26-2024 11:37 PM

@Michael Bartholomæussen it'll work. Personally I would seperate some functionality and not have all your eggs in one basket. If one  pair of devices performs multiple functions, that might overly complicate the configuration, make it harder to troubleshoot etc.

0 Helpful

Go to solution
Michael Bartholomæussen
Level 1
Level 1
In response to Rob Ingram

‎09-30-2024 11:53 PM

I would be leaning towards this solution as well, for the reasons you mention. Cost would essentially be the only driver, not to do it that way.

0 Helpful
Customers Also Viewed These Support Documents