cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
435
Views
1
Helpful
8
Replies

VPN Load balancing (Design)

Hi All,

We're about to re-design our AnyConnect remote access solution, moving from a pair of FTD 1140 in HA (they are a part of a branch office), to something that can provide more bandwidth to our users. It's a business requirement, so I won't argue.

So far it's been the talks have been around a new pair of 3105 in a VPN load balancing setup. Going through the documentation, there's not note any caveats by doing so (https://docs.defenseorchestrator.com/cdfmc/c_configuring_vpn_loadbalancing.html)

The 3105 is noted to have 3.2 Gbps throughput for TLS, and in a VPN LB setup I would double that. In a DR scenario, half the throughput will be acceptable. We also require to enable next-gen firewall features.

I'd like to hear from experience about building a VPN head-end, mainly when it comes to HA/Cluster/VPN LB setups?

Cheers,

Michael

1 Accepted Solution

Accepted Solutions

8 Replies 8

@Michael Bartholomæussen if you only have a pair of 3105 appliances, HA failover pair might suffice, in that scenario the users will only connnect to the active appliance, the other appliance is not servicing any users until a failover event occurs. If the active appliance fails, the users will automatically failover to the secondary appliance which becomes active.

If using VPN Load Balancing you get to use both appliances at the sametime, in the event of one appliance failing the users do not automatically failover to the other appliance, they must disconnect and reconnect. You can also scale out easily, adding more appliances to the VPN load balance cluster if/when required. Use a wildcard or multi domain certificate. Configuration is pretty straight forward - https://integratingit.wordpress.com/2021/06/13/ftd-vpn-load-balancing/

 

It would be acceptable if a cluster member fails and the client need to reconnect, my concern is the capacity. And scaling is certainly desirable if we require. Do you have any thoughts on using the 1150 instead - it's cheaper than the 3105, but performance wise it's not as capable.

@Michael Bartholomæussen the FPR1150 supports a maximum of 800 VPN peers, the 3105 is newer architecture and supports a maximum of 2000 peers and also has crypto accelerator for VPN traffic.

If you use VPN Load Balancing you can just add more devices to support more users to scale out if required, so if using the 1150 hardware you may need a lot of appliances to support the number of concurrent users compared to the 3100 series hardware.

Ultimately it would depend on how many concurrent users your hardware needs to support

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-asa/221691-configure-vpn-client-load-balance-with-d.html

I think this what you need 

Round Robin dns to make some host use fw1 and other use fw2

MHM

Is the cluster LB functionality only bound to a DNS round robin now - I recall seeing a line mentioning a master/slave setup?

One design decision we are discussing, is to use our existing WAN firewall pair as remote access head-end. If we consider remote access users as a "branch". Our WAN layer terminates VPN and MPLS connections from other remote branches, co-los, and certain collaboration partners. Any pros/cons towards this topic?

@Michael Bartholomæussen it'll work. Personally I would seperate some functionality and not have all your eggs in one basket. If one  pair of devices performs multiple functions, that might overly complicate the configuration, make it harder to troubleshoot etc.

I would be leaning towards this solution as well, for the reasons you mention. Cost would essentially be the only driver, not to do it that way.