09-26-2024 07:39 AM
Hi All,
We're about to re-design our AnyConnect remote access solution, moving from a pair of FTD 1140 in HA (they are a part of a branch office), to something that can provide more bandwidth to our users. It's a business requirement, so I won't argue.
So far it's been the talks have been around a new pair of 3105 in a VPN load balancing setup. Going through the documentation, there's not note any caveats by doing so (https://docs.defenseorchestrator.com/cdfmc/c_configuring_vpn_loadbalancing.html)
The 3105 is noted to have 3.2 Gbps throughput for TLS, and in a VPN LB setup I would double that. In a DR scenario, half the throughput will be acceptable. We also require to enable next-gen firewall features.
I'd like to hear from experience about building a VPN head-end, mainly when it comes to HA/Cluster/VPN LB setups?
Cheers,
Michael
Solved! Go to Solution.
09-26-2024 08:02 AM
I think this what you need
Round Robin dns to make some host use fw1 and other use fw2
MHM
09-26-2024 07:54 AM
@Michael Bartholomæussen if you only have a pair of 3105 appliances, HA failover pair might suffice, in that scenario the users will only connnect to the active appliance, the other appliance is not servicing any users until a failover event occurs. If the active appliance fails, the users will automatically failover to the secondary appliance which becomes active.
If using VPN Load Balancing you get to use both appliances at the sametime, in the event of one appliance failing the users do not automatically failover to the other appliance, they must disconnect and reconnect. You can also scale out easily, adding more appliances to the VPN load balance cluster if/when required. Use a wildcard or multi domain certificate. Configuration is pretty straight forward - https://integratingit.wordpress.com/2021/06/13/ftd-vpn-load-balancing/
09-26-2024 11:18 PM
It would be acceptable if a cluster member fails and the client need to reconnect, my concern is the capacity. And scaling is certainly desirable if we require. Do you have any thoughts on using the 1150 instead - it's cheaper than the 3105, but performance wise it's not as capable.
09-26-2024 11:31 PM
@Michael Bartholomæussen the FPR1150 supports a maximum of 800 VPN peers, the 3105 is newer architecture and supports a maximum of 2000 peers and also has crypto accelerator for VPN traffic.
If you use VPN Load Balancing you can just add more devices to support more users to scale out if required, so if using the 1150 hardware you may need a lot of appliances to support the number of concurrent users compared to the 3100 series hardware.
Ultimately it would depend on how many concurrent users your hardware needs to support
09-26-2024 08:02 AM
I think this what you need
Round Robin dns to make some host use fw1 and other use fw2
MHM
09-26-2024 11:14 PM
Is the cluster LB functionality only bound to a DNS round robin now - I recall seeing a line mentioning a master/slave setup?
09-26-2024 11:23 PM
One design decision we are discussing, is to use our existing WAN firewall pair as remote access head-end. If we consider remote access users as a "branch". Our WAN layer terminates VPN and MPLS connections from other remote branches, co-los, and certain collaboration partners. Any pros/cons towards this topic?
09-26-2024 11:37 PM
@Michael Bartholomæussen it'll work. Personally I would seperate some functionality and not have all your eggs in one basket. If one pair of devices performs multiple functions, that might overly complicate the configuration, make it harder to troubleshoot etc.
09-30-2024 11:53 PM
I would be leaning towards this solution as well, for the reasons you mention. Cost would essentially be the only driver, not to do it that way.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide