Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
707
Views
0
Helpful
1
Replies

VPN load balancing question

jeffreysuchomel
Level 1
Level 1

‎09-14-2011 03:31 PM

All,

We have an ASA5520 pair that we will be installing to load balance SSLVPN connections.  Below is a portion of our configs pertaining to the VPN load-balancing feature (configured on both ASAs):

///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

vpn load-balancing

redirect-fqdn enable

cluster key *****

cluster ip address connect.companyname.com

cluster encryption

participatevpn load-balancing
redirect-fqdn enable
cluster key *****
cluster ip address connect.xtoenergy.com
cluster encryption
participate

ssl trust-point webvpn outside vpnlb-ip

ip local pool COMPANY_NAME 10.211.112.1-10.211.113.254 mask 255.255.254.0

///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

My specific question is related to routing of return traffic to load-balanced VPN sessions.  Is there some kind of persistence function that tells the return traffic which ASA to route back to?  For instance, if ASA1 has a VPN connection having IP address 10.211.112.1 associated to it, and ASA2 has a VPN connection having IP address 10.211.112.100, how does the return traffic for each connection know which ASA to route back to?

Sorry if this is a basic question - this is a new feature to me so I have no prior experience.

Thanks!

Labels:
0 Helpful
1 Reply 1

Bastien Migette
Cisco Employee
Cisco Employee

‎09-15-2011 12:39 AM

Hi Jeffrey,

The VPN cluster feature allows to share the load of the incomming VPN Connections among the ASA, so when a client connects, its connexion stays with the same ASA. Now, for the rest of the infrastructure to know to which ASA they should route the traffic, the easiest is to use reverse route injection in the crypto map and redistribute generated static routes into dynamic routing protocols.

0 Helpful
Customers Also Viewed These Support Documents