Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
778
Views
0
Helpful
1
Replies

VPN Load Balancing

riteshmalpani
Level 1
Level 1

‎10-05-2010 05:27 AM

There are two cisco ASA 5520 that needs to be implemented in VPN Load balancing mode.

My Cisco ASA is behind the firewall. I have done natting on my external firewall for all the three DMZ interface ip (172.20.12.4,172.20.12.5,172.20.12.6) with three different public ip. I am able to connect to the VPN but after I shutdown my Master VPN , then I am unable to make VPN connections anymore.Please let me know why I am unable to make connections through my backup ASA. I dont know if i have done some worng configurations.

Please help.

The configurations are as follows:

Cisco ASA 1:

interface GigabitEthernet0/0

nameif DMZ_INTERFACE

security-level 0

ip address 172.20.12.6 255.255.255.192

vpn load-balancing

priority 6

interface lbpublic DMZ_INTERFACE

interface lbprivate Inside

cluster key wipro

cluster ip address 172.20.12.4

cluster encryption

participate

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 172.20.7.231 source mgmt

Cisco ASA2:

interface GigabitEthernet0/0

nameif DMZ_INTERFACE

security-level 0

ip address 172.20.12.5 255.255.255.192

vpn load-balancing

priority 7

interface lbpublic DMZ_INTERFACE

interface lbprivate Inside

cluster key wipro

cluster ip address 172.20.12.4

cluster encryption

participate

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 172.20.7.231 source mgmt

Regards

Ritesh

Labels:
0 Helpful
1 Reply 1

Herbert Baerten
Cisco Employee
Cisco Employee

‎10-08-2010 02:22 PM

Hi Ritesh


can you post your full config please? Would particularly like to see the inside interface and the crypto map(s).


Also, on both cluster members (before shutting down the master), get:

show vpn loadb


and enable:

debug vpnlb

debug arp


then shut down the master, keep collecting the debugs for a few seconds on the second ASA, then turn off the debugs and get "show vpn loadb" again on the second ASA.

And, on the NAT device check the arp table - what mac address is 172.20.12.4 pointing to?


Herbert

0 Helpful
Customers Also Viewed These Support Documents