VPN load balancing and ASA !!!

Similar Messages

• ASA Vpn load balancing and failover

  Hello all.
  We have two asa5520 configured as primary and standby unit in failover configuration, and all is working properly.
  Is it possible, with this configuration (failover), to configure vpn load balancing/clustering?
  Thanks
  Daniele

  Hi Wajih,
  I am testing this right now. In my case, I want A and B are failover pairs with A as the primary, (A+B) together as one member in cluster with other ASAs C and D. Here is what I found out:
  1, After the active/standby working, configure the load banlancing in the master, the cluster IP worked.
  2, after "no fail ac" in A, cluster IP stopped working. Seems the vpn load banlance configuration wasn't copied over to the standby B.
  3, In the active (now it's the secondary B), manually configure vpn load banlancing, then the cluster IP worked.
  4, "no fail ac" in the B and make the the primary A active, the cluster IP still worked.
  5, after "no fail ac" in A, cluster IP stopped working. show vpn load and found out the load banlance was disabled.
  6, "no fail ac" in the B and make the the primary A active, the cluster IP then worked.
  Based on above, the secondary B's VPN load banlance will be disabled when B becomes active in failover role. If that's true, these two features can't work together. Or maybe there is some configuration I'm missing -- maybe having C or D as the cluster master will help. The ASAs are 5510 with 8.4(2)
  Thanks,
  Rick.

• ASA and vpn load balancing

  Hi,
  I am configuring 2 ASA5540 for internet trafic inside to outside ,
  outside to inside (web,smtp) but also vpn load balancing for client to site , site to site and webvpn.
  In the doc I can configure them for internet trafic as Active/Standby or Active/active.
  for vpn : I can use vpn load balancing
  But no information if I want to use the active/passif and vpn load balancing together.
  Any thoughts on which way to go? what is the best thing to do ?
  Regards

  Hi,
  I think that you cannot use an Active/Active configuration for VPN connections as it is stated on Cisco's documentation: "Note: VPN failover is not supported on units that run in multiple context mode as VPN is not supported in multiple context. VPN failover is available only for Active/Standby Failover configurations in single context configurations" available at http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
  Hope it helps

• ASA 5520 VPN load balancing with Active/Standby failover on 2 devices only...

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  This topic has been beat to death, but I did not see a real answer. Here is configuration:
  1) 2 x ASA 5520, running 8.2
  2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces
  3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration.
  4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?
  This sounds trivial, but I cannot find a clear answer (without testing this); and many people are confusing the issue. Here are some examples of confusion. These do not apply to my scenario.
  Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not
  The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?
  In any case, any experts out there that can answer question? TIA!

  Wow, some good info posted here (both questions and some answers). I'm in a similar situation with a couple of vpn load-balanced pairs... my goal was to get active-standby failover up and running in each pair- then I ran into this thread and saw the first post about the unique IP addr pools (and obviously we can't have unique pools in an active-standby failover rig where the complete config is replicated). So it would seem that these two features are indeed mutually exclusive. Real nice initial post to call this out.
  Now I'm wondering if the ASA could actually handle a single addr pool in an active-standby fo rig- *if* the code supported the exchange of addr pool status between the fo members (so they each would know what addrs have been farmed out from this single pool)? Can I get some feedback from folks on this? If this is viable, then I suppose we could submit a feature request to Cisco... not that this would necessarily be supported anytime soon, but it might be worth a try. And I'm also assuming we might need a vip on the inside int as well (not just on the outside), to properly flip the traffic on both sides if the failover occurs (note we're not currently doing this).
  Finally, if a member fails in a std load-balanced vpn pair (w/o fo disabled), the remaining member must take over traffic hitting the vip addr (full time)... can someone tell me how this works? And when this pair is working normally (with both members up), do the two systems coordinate who owns the vip at any time to load-balance the traffic? Is this basically how their load-balancing scheme works?
  Anyway, pretty cool thread... would really appreciate it if folks could give some feedback on some of the above.
  Thanks much,
  Mike

• Having an issue with vpn load balancing certificate on the vip

                     Hi all,
  I am setting up vpn load balancing in a lab. I have two asa's running 8.6. I created a ucc cert from our internal CA  that has the vip as the CN in the cert and the two ASA's themselves as subject alternative names. I used open ssl to create the request. In each asa I am using encryption between the ASA's to encrypt the psk's. Since this is a lab and I do not have the DNS servers at my disposal I've added the hostnames and addresses of each ASA to the config in the ASA's. The problem I have is that when I connect to the vip I get a cert error saying the cert doesn't match the name on the site. See below:
  "The security certificate presented by this website was issued for a different website's address."
  I have a hostfile on my lab pc connected directly to the outside of the ASA that can resolve the name of the vip but when I browse to the vip I get the cert error. If I click proceed anyway the asa redirects me and the page opens without error on one of the two ASA's.
  Does any one know what the CN of the cert should be for vpn load balancing. I thought the CN would be the vip but sometinhg is not right.
  Any help is appreciated.
  Thanks.

  Issue resolved. Switched the order of the trustpoints on the outside and vpn load balance.

• 2 ISP load balancing and redundancy

  Hello!!
  Our small company has about 40 branches spreaded within city. Branches are connected by optic wire supplied by our ISP. So in ISP our branches are located in one VLAN. From every branch we created VPN tunnel to our server room in central office. Central office is like a cetner point. If optic wire fails to central office, there would no VPN tunnels and no network to all branches. Moreover, all the traffice goes through central office.
  Now we decided to pave one more optic line to our central office. And that will increase bandwidth and redundancy.
  Private network topology: There are no default gateways and ip-addresses. For examle, at first branch I will plug computer directly into media converter and at the second branch plug another computer to the media converter. After that this two computers became in one network. And can assign any ip addresses to them.
  What I have: our firewall do enough work, don't want to overload it. But we have some free ports in our new cisco 3750. The question is how to do load balancing and redundanccy? Can it do load balancing according to traffic? And how load balance incoming traffic? For example, connection was established from branche's router, how this router will choose through which line make connection? By the way, at all branches we use noisy cisco
  3700 series routers.

  Sorry for upping 1 year old threat.
  We talked to our Network Provider. They said "these two cables are coming from two different places, so there is no way to use etherchannel. You must use active-standby solution."
  Relying on STP we just put two cables into 3750 stack. But with default STP settings, connection was very unstable, many packet losses and disconnections. So we found easy solution with "flex links", making one interface backup of the other. And only now I recognized that this is not a failover solution. Because, if network beyond media converter will down, link from media converter to switch would still up.
  What could I do to make our L2 WAN redundant? Are there any additional STP settings.

• Load balancing and rfc metadata repository in reciever rfc communication ch

  hi.
  i want to know the purpose of load balancing and rfc meta data repository in RFC communication channel.
  and can u send me any examples on this load balancing.
  waiting for your response.
  bye.
  regards.
  seeta ram.

  Hi Seeta Ram,
  Load distribution is handled by the message server (there is one message server in an SAP System). When a user logs on, the message server assigns him or her to the application server that currently has the <b>smallest load</b>.
  Well now you can understand that we use load balancing for better performance by distributing the work to different processes to balance or maintain the work load in SAP system.
  For more information refer to this link
  http://help.sap.com/saphelp_nw04/helpdata/en/28/75153a1a5b4c2de10000000a114084/content.htm
  Regards
  Sumit Bhutani

• Advantages of using a webserver inbetween a load balancer and application servers

  I am building out a new weblogic domain.
  I am wondering which one of these configuration to go with:
  1. Load balancer > weblogic servers
  2. Load balancer > web server > weblogic servers
  Could someone tell me what are the specific advantages of having web servers inbetween a load balancer and application servers (besides caching static data content and acting as a proxy)?
  Thanks in advance
  Srini

  Other than hosting the static content, nothing much really.   We have our load balancer go straight to WL for applications without static content and route to web server if there is static content.   Easy enough to do it both ways, best of both worlds.

• For a true load balancing and high-availability OHS, OPMN, and mod_oc4j

  i have read this link of Enabling Clustering on oc4j9.0.4 standalone app server
  http://www.oracle.com/technology/docs/tech/java/oc4j/htdocs/getstart.htm#1015479
  To test the clustering, start up the load balancer by executing "java -jar loadbalancer.jar".
  C:\OC4J_EXTENDED\j2ee\home>java -jar loadbalancer.jar
  In a future release of Oracle Application Server, loadbalancer.jar will be
  desupported. Because of this, we strongly suggest that you discontinue your use
  of loadbalancer.jar in this release. Under high loads, loadbalancer.jar may not
  function properly. For a true load balancing and high-availability solution,
  please move to use OHS, OPMN, and mod_OC4J. For more information, please see
  http://otn.oracle.com/products/ias/ohs/content.html
  Balancer initialized...
  what load balancer should i use for web clustering
  <frontend host="balancer-host" port="balancer-port" />
  balancer-host=localhost
  balancer-port=80
  for all nodes i mentioned same host and port in http-web-site.xml.Is it correct?
  i completed all the steps and run http://localhost:6666/session/SessionServlet
  i hit 3 times
  in the different browser http://localhost:7777/session/SessionServlet
  instead of coming 4 it starting from 1 only.

  can i use this loadbalancer.jar or not?
  how to mod_oc4j in standalone app server

• Load balancing and High Availability topology

  Our Forms 6i client-server application currently runs on Citrix farm of 20 Windows 2000 boxes (IBM Blade Servers 2 CPU and 2 Gig Memory).
  Application supports 2000 users.
  We are moving to AS 10g r2, forms 10g and the goal is to use same hardware, 20 Windows boxes (or less), for intranet web deployment.
  What will be our best choices for application Load balancing and High Availability?
  Hardware load balancer, Web Cache, mod-oc4j? Combinations?
  Any suggestions, best practices, your experience?

  Gerd, I understand, that you are running 10g web forms through the browser, but using Citrix for deployment. This means that in addition to Application Server and Forms runtime sessions, it will be separate browser session opened for each user. What the advantage of this configuration?
  Michael, we are aware, that Citrix is not supported by Oracle as a deployment platform. That only means that prior contacting Oracle Support we have to reproduce the problem in standard environment. It was never been a problem to reproduce problem :) We were using Citrix as a deployment platform for Forms 6i client/server for 4 years, but now we are forced to upgrade to 10g.
  We are familiar with various Load balancing options available. The question is which option is the most "workable" in our case.

• Load balancing and Failover

  Hello,
  We are wondering how load-balancing and failover of tpcall() work with
  WTC:
  The scenario:
  We have one WLS Domain and two Tuxedo Domains. The Tuxedo Domains offer
  the same set of services.
  In the bdmconfig.xml, we specify connection_policy as 'ON_STARTUP' for
  both Remote Tuxedo Domains. We also Import (T_DM_IMPORT) the same
  Tuxedo Service from both Tuxedo Domains.
  Questions:
  1. Is there any load-balancing of the tpcall between the two Domains? If
  so, is it round-robin? If round-robin, what determines the order?
  2. If it is ONLY Failover, what determines the order of the tpcall? And,
  is the Failover automatic? Or do we need to code for retry on failure?
  3. ON_DEMAND vs ON_STARTUP: Does ON_DEMAND drop the connection to the
  remote domain upon tpterm? And does ON_STARTUP use a pool of
  TuxedoConnection objects?
  4. Are there any configuration parameters for
  'max_number-of_connections? What determines how many simultaneous
  connections can be made?
  Thanks,
  Suresh Mohan.

  Hi Suresh,
  The following are my answers to your questions.
  Suresh Mohan wrote:
  Hello,
  We are wondering how load-balancing and failover of tpcall() work with
  WTC:
  The scenario:
  We have one WLS Domain and two Tuxedo Domains. The Tuxedo Domains offer
  the same set of services.
  In the bdmconfig.xml, we specify connection_policy as 'ON_STARTUP' for
  both Remote Tuxedo Domains. We also Import (T_DM_IMPORT) the same
  Tuxedo Service from both Tuxedo Domains.
  Questions:
  1. Is there any load-balancing of the tpcall between the two Domains? If
  so, is it round-robin? If round-robin, what determines the order?Yes there is a load balancing between two remote Tuxedo TDomain Gateways.
  The algorithm is random, not RR. Over time this should give equal
  opportunities to both remote TDomain.
  >
  2. If it is ONLY Failover, what determines the order of the tpcall? And,
  is the Failover automatic? Or do we need to code for retry on failure?The load balancing is always there. The failover is automatic. When a
  connection to a remote TDomain encountered a problem (ie network) the remote
  domain will be put on retry open connection (in ON_STARTUP) and the load
  balancing will not select it until the connection re-established.
  However, the tpcall() that encountered the error will not be retried to send
  to different destination. It is up to the application to decide whether it
  want to resend. Any requests called after the error will not select the
  failed Remote TDomain.
  >
  3. ON_DEMAND vs ON_STARTUP: Does ON_DEMAND drop the connection to the
  remote domain upon tpterm? And does ON_STARTUP use a pool of
  TuxedoConnection objects?TPTERM() only terminate your application session to WTC. WTC still maintain
  a secured T-session to remote Tuxedo TDomain. WTC does not use a pool of
  TuxedoConnection Objects, the object stored in the JNDI refers to WTC.
  >
  4. Are there any configuration parameters for
  'max_number-of_connections? What determines how many simultaneous
  connections can be made?No. As described in #3, there is no need to use connection pool in WTC. WTC
  uses session and virtual circuit design concept as Tuxedo TDOMAIN, the
  logical pool is created/destroyed dynamically. That is the reason why you
  can have a lot of TPACALL() outstanding at the same time. (The limitation is
  the availability system resource.)
  >
  >
  Thanks,
  Suresh Mohan.Regards,
  Hong-Hsi :-)

• Discussion on load-balance and load-sharing

  Hi, I found a article, which discuss the difference between load-balance and load-sharing. I think the explanation is pretty good, please see below. But I still have a question: how can we decide to choose one the both balance in the production environment ?  Thank you
  "In short, load balancing tries to distribute traffic evenly over multiple paths, whereas, load sharing intends to do it (for the lack of a better term) equally.  True load balancing is difficult to achieve.  For example, let's say there were two links (100 mbps and 300 mpbs) and a router needed to send out 600 mbps of traffic.  Load balancing would distribute the traffic evenly, sending 300 mbps on each link.  On the contrary, load sharing would divide the traffic equally based on the available resources, sending 200 mbps on the slower link and 400 mbps on the faster one. "

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  That's not how Cisco uses the terms, and generically they are often used almost interchangeably.
  Cisco uses load balancing as the catch all for how a single L3 device routes across multiple paths to the same destination.  Equal metrics or equal actual load distribution are not required.  Most often, load balancing will be discussed with ECMP, but unequal path loading balancing will include Cisco's proprietary IGPs, such as EIGRP.
  Cisco uses load sharing when using multiple paths when a single L3 devices doesn't normally route across multiple paths or multiple L3 devices are involved.  Cisco load sharing discussions usually revolve around BGP.
  Generically, I would say load balancing has more of a dynamic aspect to it, i.e. something is trying to actively balance traffic across multiple paths, while load sharing might mean multiple paths are utilized but not actively dynamically balanced.
  I'm unsure what's your question with a production environment.

• Load Balancing and Failover with 10G Standard Edition

  Hi,
  I am new to Oracle Replication and need some help setting up replication for load balancing and failover. Is this possible using Oracle 10G Standard Edition? I plan on having all updates done on the master site and both databases will be for reads. In case of failure of the master site, I would need to be able to failover to the other database.
  Also, if anyone knows of any documention for Basic Replication in 10G, please let me know.
  Thanks.

  Simple nnapshot replication of data would require significant manual effort to configure to load balance or failover. One the load balancing side, you would generally be limited to to static load balancing-- assigning half the users to one machine and the other half of the users to the other machine, regardless of who is actively using the machine. Failover would be a significant manual effort, particularly to bring the failed machine back into the cluster. You would be implementing the guts of multi-master replication.
  Frankly, if you actually have a system which is valuable enough to need load balancing and disaster recovery, I'm going to wager that it will be far cheaper even in the short run to buy more boxes and/or enterprise edition licenses than to try to implement this sort of thing yourself. In the long run, it will be far cheaper, since it will be far easier to maintain. Building all this yourself would probably be penny wise and pound foolish.
  Justin
  Distributed Database Consulting, Inc.
  http://www.ddbcinc.com/askDDBC

• Load balancing and RFC problem

  Hi!
  I have a problem regarding load balancing and RFC's. We use the follow function in librfc32.dll (from VB6) for RFC calls: RfcOpenExt It's working fine no problem, but from now on we will have to use the this funcion due to load balancing: RfcOpenExtV3
  The only difference between the two functions is the parameters. RfcOpenExtV3 has 5 additional parameters:
  intLoadBalance1, strLbHost1, strLbSysName1, strLbGroup1, intSapGui1
  I asked our tech guys for the details so that I can set up the parameters (double check everything) and the RfcOpenExtV3 doesn't working. Return value is zero.
  Have somebody faced with this issue before?
  Thanks in advance!

  Hi,
  1. Probably this  link may help.
  [http://help.sap.com/saphelp_nw04/helpdata/en/22/042f18488911d189490000e829fbbd/content.htm]
  Especially see the function parameters on this page,
  which are the bottom.
  regards,
  amit m.

• TES6.1 Load Balancing and DSP

  Haven't gotten much response to my other posts, hoping I get some about this.
  For those using load balancing, do you name your DSP the same on both servers?  I was trying to see if there were pros and cons to naming them different or the same (or if you can't name them the same).
  We have them named different, one is TesDevCM1 and the other is TesDevCM2.  This makes it easier to troubleshoot and know where someone is connected BUT I realize that this is not good when you are trying to truly utilize loadbalancing for example for Transporter and TESCmmandline as this forces you to bound these apps to a specific CM.
  Just wanted to see if there were opinions out there. (Made my post shorter, hopefully someone will respond ^_^)

  Hi Jesse,
  Actually it works after you asked me to go through the web cache documentation which i posted question on how to do the load balancing and failover. Thanks for you help. I just want to double confirm whether i did correctly. Since i have problem in passing the session variables. Which the server switch between the two servers for load balacing, it can't bring the session variables from server 1 to server 2. It will give error on the pages. I want to ask whether anyway to bring the session variables from server1 to server2??
  Besides, can you please tell me if i just wanted to have failover but not load balancing, can this be done???
  Thanks
  Regards,
  Ming Jade