VPN Load balancing on ASA 5520

pmajumder · ‎06-07-2006

Hi,

I have 2 ASA's in Active/Standby setup (context mode=single) that I am trying to configure for VPN load balancing. I have configured the appliances identically as follows:

vpn load-balancing

interface lbpublic Outside

interface lbprivate Inside

cluster key xxxxxxx

cluster ip address x.x.x.x

cluster encryption

participate

The cluster IP is on the same subnet as the outside interfaces.

Both units report themselves as masters- They are unable to see each other.

sh vpn load-balancing

Status: enabled

Role: Master

Failover: Active

Encryption: enabled

Cluster IP: x.x.x.x

Peers: 0

Can anyone please help as to why they can't see each other?

Thanks

Pradeep

cpembleton · ‎06-07-2006

If your running Active/Standby then you can't load balance. One is always active and the other standby. They would both have to be active to load balance. Your load balancing would be the failover. If the active failed the the secondary would take over the IP address and become active. All clients would terminate to the same IP but physically different ASA's.

Thanks,

Chad

pmajumder · ‎06-07-2006

Hi Chad,

Thanks for replying. I had it the way you are describing it. However, I was recently told by Cisco in this forum that VPN load balancing would work in an active/standby environment (single security context), and thus my effort to try and implement it - clearly so far it has not worked.

Thanks

Pradeep

pmajumder · ‎06-13-2006

Hi Chad,

Thanks for your help! I do now understand how it should work.

Thanks

Pradeep

leon.mflai · ‎07-24-2006

Hi everybody,

So can VPN Load Balancing runs in A/S case?

pmajumder · ‎07-24-2006

Unfortunately, it will not work with a single A/S failover pair. You will need to have 2 failover pairs, or some combo that will give you 2 active ASA's.