ASA 5520 VPN load balancing with Active/Standby failover on 2 devices only...

Similar Messages

• ASA and vpn load balancing

  Hi,
  I am configuring 2 ASA5540 for internet trafic inside to outside ,
  outside to inside (web,smtp) but also vpn load balancing for client to site , site to site and webvpn.
  In the doc I can configure them for internet trafic as Active/Standby or Active/active.
  for vpn : I can use vpn load balancing
  But no information if I want to use the active/passif and vpn load balancing together.
  Any thoughts on which way to go? what is the best thing to do ?
  Regards

  Hi,
  I think that you cannot use an Active/Active configuration for VPN connections as it is stated on Cisco's documentation: "Note: VPN failover is not supported on units that run in multiple context mode as VPN is not supported in multiple context. VPN failover is available only for Active/Standby Failover configurations in single context configurations" available at http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
  Hope it helps

• Active/Standby failover automatic primary active

  I have 2 ASAs 5510 with same physical configuration and running ok with active/standby failover mode. Like we have PREEMPT command in active/active failover to get back primary active after its been rebooted from failed mode. This command makes primary back to active and makes secondary firewall standby automatically.
  Need help to know any such command for active/standby failover for automatic primary active. Currently we have to use command FAILOVER ACTIVE on primary to make it active manually.

  Remember, failover in ASA works differently than HSRP. ASA does NOT use
  HSRP. Furthermore, there is NO HSRP ip address in ASA either. You are
  talking about two different technologies.
  Think of it this way. HSRP technology works very similar to VRRP and
  Juniper NSRP. All of these technologies use virtual IP address. If you
  have two devices, you will have an Virtual IP address, in addition
  to the physical ip addresses of the two devices. ASA does not use the
  extra VIP.

• ASA Vpn load balancing and failover

  Hello all.
  We have two asa5520 configured as primary and standby unit in failover configuration, and all is working properly.
  Is it possible, with this configuration (failover), to configure vpn load balancing/clustering?
  Thanks
  Daniele

  Hi Wajih,
  I am testing this right now. In my case, I want A and B are failover pairs with A as the primary, (A+B) together as one member in cluster with other ASAs C and D. Here is what I found out:
  1, After the active/standby working, configure the load banlancing in the master, the cluster IP worked.
  2, after "no fail ac" in A, cluster IP stopped working. Seems the vpn load banlance configuration wasn't copied over to the standby B.
  3, In the active (now it's the secondary B), manually configure vpn load banlancing, then the cluster IP worked.
  4, "no fail ac" in the B and make the the primary A active, the cluster IP still worked.
  5, after "no fail ac" in A, cluster IP stopped working. show vpn load and found out the load banlance was disabled.
  6, "no fail ac" in the B and make the the primary A active, the cluster IP then worked.
  Based on above, the secondary B's VPN load banlance will be disabled when B becomes active in failover role. If that's true, these two features can't work together. Or maybe there is some configuration I'm missing -- maybe having C or D as the cluster master will help. The ASAs are 5510 with 8.4(2)
  Thanks,
  Rick.

• VPN load balancing and ASA !!!

  Hi netpros,
  I have a couple of questions about this and hope you might be able to assist me.
  1.- Are VPN load balancing and failover (Active/Active) mutually exclusive ..? I mean they can't be used at the same time correct ..?
  2.- How does the ASA handle the return traffic from the Internal LAN towards the remote client .. Because the cluster only requires ONE public virtual IP address, which will work for incoming packets .. but what about the return traffic which has knowledge of the DHCP scope's default gateway IP address only .. ? How gets the returned packet redirected from the default gateway IP address to the respective ASA internal IP address .?
  3.- VPN load balancing only applies to remote clients using easy VPN technology (easy vpn client, hardware client , pIX using easy vpn client etc ) and does not work with static LAN-LAN tunnel .. correct ..?
  Your comments are much appreciated

  Hi Gilbert ..
  1.- Thanks I wanted to make sure.
  2.- I know that .. my question is in regards the return packets .. for example if I have the below IP schema:
  ASA1: Public 20.20.20.20
  Private 192.168.1.1
  ASA2: Public 20.20.20.21
  Private 192.168.1.2
  Cluster virutal IP: 20.20.20.10
  Default gateway for segment 192.168.1.0 is 192.168.1.1
  Let's say that a vpn client tries to connect and the cluster instructs the client to connect to ASA2 20.20.20.21. The packets reach the internal server at 192.168.1.100. The internal server then sends the return packets back to the client by forwarding them to its default gateway which is 192.168.1.1 (ASA1). Here is my question .. how does the cluster handles this because the return packet are supposed to be directed to ASA2 192.168.1.2
  3.- Any idea about this one ..?
  Cheers,

• ASA 5520 Anyconnect License on Active/Standby Failover pair

  Hi
  Our customer has purchased 2 x L-ASA-AC-E-5520= Anyconnect Essentials VPN Licenses (750 Users)
  Ive installed both activated licenses as per the cisco guides, I didnt get any errors on the install. I did a reload on both, they are both back up and running as active/standby but when I do a sh ver the license still shows "ASA 5520 VPN Plus License"
  Am I being dumb and has this worked successfully or should it not now display Anyconnect when I do a sh ver
  Any help would be much appreciated on this one please
  Regards
  Graham

  Thanks Marvin
  Below is the show ver, but I was kind of expecting there to be a mention of Anyconnect if I had activated the license
  We previously had the VPN Plus License, and it still shows VPN Plus
  Licensed features for this platform:
  Maximum Physical Interfaces : Unlimited
  Maximum VLANs               : 150      
  Inside Hosts                 : Unlimited
  Failover                     : Active/Active
  VPN-DES                     : Enabled  
  VPN-3DES-AES                 : Enabled  
  Security Contexts           : 2        
  GTP/GPRS                     : Disabled
  VPN Peers                   : 750      
  WebVPN Peers                 : 2        
  AnyConnect for Mobile       : Disabled
  AnyConnect for Linksys phone : Disabled
  Advanced Endpoint Assessment : Disabled
  UC Proxy Sessions           : 2        
  This platform has an ASA 5520 VPN Plus license.

• Having an issue with vpn load balancing certificate on the vip

                     Hi all,
  I am setting up vpn load balancing in a lab. I have two asa's running 8.6. I created a ucc cert from our internal CA  that has the vip as the CN in the cert and the two ASA's themselves as subject alternative names. I used open ssl to create the request. In each asa I am using encryption between the ASA's to encrypt the psk's. Since this is a lab and I do not have the DNS servers at my disposal I've added the hostnames and addresses of each ASA to the config in the ASA's. The problem I have is that when I connect to the vip I get a cert error saying the cert doesn't match the name on the site. See below:
  "The security certificate presented by this website was issued for a different website's address."
  I have a hostfile on my lab pc connected directly to the outside of the ASA that can resolve the name of the vip but when I browse to the vip I get the cert error. If I click proceed anyway the asa redirects me and the page opens without error on one of the two ASA's.
  Does any one know what the CN of the cert should be for vpn load balancing. I thought the CN would be the vip but sometinhg is not right.
  Any help is appreciated.
  Thanks.

  Issue resolved. Switched the order of the trustpoints on the outside and vpn load balance.

• CSS Load Balancing with Cookies

  We are trying to load balance 2 backend servers hosted on Websphere with advance balance cookies method.
  Restrictions
  ServerA is unable to accept cookies generated from ServerB.
  ServerA and ServerB are generating random cookies
  Unable to modify cookie string with a constant.
  How can we load balance based on cookies considering the above restrictions?
  We have attempted to do hash based load balancing with cookies but the problem we run into is the servers do not accept cookies generated from another server.
  The configuration we tried is written below:
  service ServerA
  ip address 192.168.10.2
  keepalive type tcp
  keepalive port 80
  active
  service ServerB
  ip address 192.168.20.2
  keepalive type tcp
  keepalive port 80
  active
  content ABC
  url "/*"
  add service ServerA
  string prefix "JSESSIONID="
  advanced-balance cookies
  port 80
  add service ServerB
  string skip-length 5
  string process-length 16
  string operation hash-xor
  protocol tcp
  vip address 172.16.32.1
  active
  Can we change the string prefix to JSESSION instead of JSESSIONID= ?
  The only place the app guys can add a constant string to match on is before the = sign.
  Is it possible for CSS to match on a constant string before = sign e.g below:
  service ServerA
  ip address 192.168.10.2
  keepalive type tcp
  keepalive port 80
  string id567=
  active
  service ServerB
  ip address 192.168.20.2
  keepalive type tcp
  keepalive port 80
  string id123=
  active
  content ABC
  url "/*"
  add service ServerA
  string prefix "JSESSION"
  advanced-balance cookies
  port 80
  add service ServerB
  string skip-length 0
  string process-length 6
  protocol tcp
  vip address 172.16.32.1
  active

  It should work.
  There is no reason for it not to work...
  This is the best method you can have on the CSS for stickyness.
  Get a sniffer trace on the client and server with arrowpoint cookie configured on the CSS and capture a failure so we can see what is going on.
  also send me the config so I can verify everything is ok.
  If you have a service request open with the TAC, you can also give the SR # so I can review what has been done.
  Gilles.

• Multihomed eBGP load balancing with 3 ISP's

  We currently peer with 2 ISPs using BGP in an active/failover configuration.  My company wants to move to a 3 ISP model where Internet traffic is split across the 3 providers so that bandwidth is equally distributed on outgoing traffic across our 2 /22 ARIN IP ranges.  This is from our 2 edge switches that have VSS.  
  Within my limited knowledge of BGP, I have determined that we could do load sharing pretty easily by adding multiple default routes and breaking up our /22's into /24 and advertising them that way.  However, I don't think this satisfies the request that downtime must be seamless, should one link drop.  
  Currently, our ISP's advertise default routes.  From the research that I've done, we could get close to load balanced links if we receive full BGP routes and community settings and definitions.  I'm nervous about this because it looks really complicated, and I don't want our AS to turn into a transit AS.  I've been told the same can be accomplished with only partial BGP routes and community settings and definitions.  
  Personally, I think we just need a WAN load balancer.  However, given the request, is there a thread out there that can explain this, or can someone discuss this requested scenario a little bit?  
  Thanks!

  Hi there
  First question would be what is the required reconvergence time for the applications using the Internet? Should an outage occur, when do they lose their state? Once you know that, you then have a target to aim for in terms of recovery
  With regards load-balancing, with BGP we are always talking inbound and outbound.
  The outbound solution is relatively simple - each ISP advertises a default route to your Internet edge router(s). Create an eBGP session from each edge router to the core, advertise the default route and redistribute into the IGP. Ensure the IGP cost to each BGP next hop is equal and you have ECMP for outbound routing.
  Inbound influence is usually via MED (not likely in this case given 3 ISPs), adjusting local-pref in the ISP via BGP EXT communities configured your end, or via AS-PATH prepending for longer prefixes from your /22. Prepending would be simplest, but your unlikely to get an exact inbound traffic split, however a relatively even distribution should be sufficient. 

• Cisco ASA Active standby failover problem

  We have configured ASA Active standby failover with ASA5505 . When primary unit power off, secondary unit became active. when primary unit power on, then primary unit is becoming active again. i think for active standby setup there is no preemption. The real issue is when primary ASA became active after power on all the external connectivity getting down. Please see the below config,
  ASA01# show run
  ASA01# show running-config 
  : Saved
  ASA Version 8.2(5) 
  hostname ASA01
  enable password PVSASRJovmamnVkD encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 192.168.1.1 MPLS_Router description MPLS_Router 
  name 192.168.2.1 SCADA_Router description SCADA_Router
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
   switchport access vlan 2
  interface Ethernet0/3
  interface Ethernet0/4
   switchport access vlan 3
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.3.8 255.255.255.0 standby 192.168.3.9 
  interface Vlan2
   nameif outside
   security-level 0
   ip address 192.168.1.8 255.255.255.0 standby 192.168.1.9 
  interface Vlan3
   description LAN Failover Interface
  ftp mode passive
  clock timezone AST 3
  access-list inside_access_in extended permit icmp any any 
  access-list inside_access_in extended permit ip any any 
  access-list inside_access_in extended permit ip any host MPLS_Router 
  access-list outside_access_in extended permit icmp any any 
  access-list outside_access_in extended permit ip any any 
  access-list outside_access_in extended permit ip any 192.168.2.0 255.255.255.0 
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  failover
  failover lan unit primary
  failover lan interface FAILOVER Vlan3
  failover key *****
  failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route-map Route_Out permit 1
   match ip address inside_access_in outside_access_in
   match interface inside
  route outside 0.0.0.0 0.0.0.0 MPLS_Router 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.2.0 255.255.255.0 inside
  http authentication-certificate inside
  http authentication-certificate outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet 192.168.2.0 255.255.255.0 inside
  telnet 192.168.1.0 255.255.255.0 outside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username admin password eY/fQXw7Ure8Qrz7 encrypted
  prompt hostname context 
  no call-home reporting anonymous
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:1a8e46a787aa78502ffd881ab62d1c31
  : end

  I suggest removing the failover configuration on both units and then re-add them, and then test.
  Primary
  failover lan interface FAILOVER Vlan3
  failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
  failover lan unit primary
  failover key KEY
  failover
  Secondary
  failover lan interface FAILOVER Vlan3
  failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
  failover lan unit secondary
  failover key KEY
  failover
  Please remember to select a correct answer and rate helpful posts

• Active/Standby Failover with pair of 5510s and redundant L2 links

  Hi
  I just got two ASA5510-SEC-BUN-K9 and I'm wondering is it possible to implement an Active/Standby Failover configuration (Routed mode) with two ASA5510 and redundant pair of switches from both inside and outside interfaces? In other words, I would like to have two L2 links from each ASA (in pair od ASAa) to each L2 switch (in pair of redundant L2 Switches). The configuration I would like to achive is just like one in Cisco Security Appliance Command Line Configuration Guide, page B-23, figure B-8, with only difference that I wouldn't go with multiple security contexts (I want Active/Standby failover).
  Thanks in advance
  Zoran Milenkovic

  Hello Zoran,
  Absolutely. You can have 2 ASAs configured in Active/Standby mode. For reference, here is a link which has a network connectivity diagram based on PIX, however, connectivity would still be same with ASAs-
  http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/failover.html#wp1053462
  The difference is that on ASA, you can only have LAN-Based failover, hence you'll need to use one additional interface on both ASAs for failover-link. You can connect these two failover-link interfaces directly using a cross cable.
  Apart from this, please refer to following link on how to go with configuration of Lan-based Active/Standby failover-
  http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1064158
  Also make sure that both ASAs have required hardware/software/license based on following link-
  http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1047269
  Hope this helps.
  Regards,
  Vibhor.

• CF 10 Load-Balancing with Remote Instances

  I was reading an article on Clustering/LB/HA using CF8, but have not found any updates for CF10.
  Using VM VirtualBox to setup a few virtual servers, I am looking to setup a load balancing of ColdFusion 10 on 2 remote instances. The goal would be have ColdFusion Cluster Manager be able to point http request to one of the two servers based on load/availability. Not really having a hardware cluster/failover setup, just managing resources on two CF instances instead of a standalone.
  The servers are Windows Server 2008 R2 with IIS7.5 and ColdFusion 10 Enterprise on installed on 3 of these machines. Let's call them CF-LBManager, CF-Web1, and CF-Web 2. In the CF Docs, they show the Cluster Manager adding the local CF instance and "if you want" a remote instance. However, this scenario would require the main instance to be running and not fail for it to direct to the other instance.
  I am trying to set this up now with CF-LBManager as just a manager of the requests coming in. In the Enterprise Manager >> Instance Manager, the local instance is shown and I add the two remote instances with the correct Remote Port, JVM Route, etc. I also made sure the <Cluster>...</Cluster> block was added to the two remote instances (CF-Web1 and CF-Web2) \runtime\conf\server.xml file too, Jetty Services also is running. Now under the Enterprise Manager >> Cluster Manager I add the two remote instances to the cluster, not the local instance on CF-LBManager with Multicast Port and Sticky Sessions enabled. On Submit, I get a green message "You must restart all the server instances and any configured webservers for these changes to take effect.". I go ahead and reboot the servers and come back.
  I now browse to the ColdFusion page as a test on CF-Web1 and CF-Web2 to make sure CF is running properly, they do. I then browse the IP of the CF-LBManager, however it only returns the local IIS web site and not redirect to one of the two cluster members. I am not seeing any message on the coldfusion-out.log on the remote instances. Am I not setting this up correctly or not enabling the Cluster Manager to take over and pass along the requests to those in the cluster?

  Unfortunatley I don't have a lot of experience with CF10 on Windows, but if you are running CF behind IIS I think  you will need to update the Tomcat connector configuraiton to do load balancing. I'm not sure if re-running the wsconfig tool on all of the servers will do this or not, but that is what I would suggest trying first. If that doesn't work you will need to update the Tomcat connector configuraiton manually. You can find more information on load balancing with the Tomcat connector here: http://tomcat.apache.org/connectors-doc/generic_howto/loadbalancers.html.

• Cache and Load Balancing with Oracle APEX Listener

  Hi,
  I intend to use only HTTP access.
  How to implement a Cache and Load Balancing with the Oracle APEX Listener?
  Is it possible to do with the the standalone running APEX Listener?
  Thanks by advance for any tips/documentation/references.
  Kind Regards.

  Hi,
  I think this question is best asked in the APEX Listener forum:
  ORDS, SODA & JSON in the Database
  Kind regards
  Sandro

• Load balancing with JSP

  Anyone and everyone,
  When configuring load balancing with Weblogic clusters, does load
  balancing take effect for all services or just EJB and RMI? Or another
  way of saying the same thing, can I setup weighted load balancing for
  the JSP engines across 2 weblogic servers.
  Thanks in advance,
  Mike

  The load-balancing documentation you read describing the different algorithms only applies to RMI stubs (e.g., EJB clients). Please see http://www.weblogic.com/docs51/cluster/concepts.html#1026091 for a description of how load-balancing/clustering works with servlets/JSPs.
  The short answer is that in using servlet clustering, most people want/need/use in-memory replication for HttpSession objects. In WLS 5.1 (and before), in-memory replication requires one or more proxy servers be set-up in front of the cluster. Typically, most people use something like BigIP to load-balance
  across the proxy servers and let the weblogic plug-in for the proxy server handle the routing to the cluster. The plug-in uses round-robin until an HttpSession is established for a user, then it always tries to route to the server where the user's session is located.
  Hope this helps,
  Robert
  Brian Lin wrote:
  All,
  I have a quesiton here regarding load balancing with DNS round robin. As of Chapter Adminstration of Clustering Weblogic server, Weblogic can be configured to balance by weight. How about Weblogic handle weight based balancing after DNS round robin ip response? or just can choose one way instead of both?
  What's the big difference between choosing BigIP and software balancing (WL)?
  Brian
  "Wei Guan" <[email protected]> wrote:
  I don't think you can configure this load balancing in weblogic in current
  release. However, if you have Big-IP or LocalDireoctr, you can set up
  weighted load-balancing there. Otherwise, weblogic proxy will use DNS round
  robin to do the load-balancing between JSP engins.
  My 2 cents.
  Cheers - Wei
  Michael Yakimisky <[email protected]> wrote in message
  news:[email protected]...
  Anyone and everyone,
  When configuring load balancing with Weblogic clusters, does load
  balancing take effect for all services or just EJB and RMI? Or another
  way of saying the same thing, can I setup weighted load balancing for
  the JSP engines across 2 weblogic servers.
  Thanks in advance,
  Mike

• Load Balancing with BigIP / SSL question

  I have an oddball question. We're load balancing ColdFusion
  MX7 across 3 servers using a BigIP load balancing server. We
  decided to go the hardware approach and it has been great except
  for one small configuration issue.
  We use a mix of SSL and non SSL pages, prior to the switch
  from a single server to a load balanced setup I used to script that
  would determine if a page that was supposed to be SSL had the
  variable CGI.HTTPS turned on or off. If it was off, the page would
  redirect back to itself with the SSL turned on.
  The problem we have is that we followed BigIP's instruction
  to secure the load balancing hardware instead of the three servers
  running behind it. So what happens is that the traffic goes to the
  load balancer port 441, but then the calls from the load balancer
  to the individual servers is port 80. So even if a page is called
  as HTTPS://... the coldfusion server says that CGI.HTTPS is "off"
  since the traffic is port 80.
  This isn't much of a problem, our SSL pages are linked as
  HTTPS:// and the only problem would actually arise if someone was
  to type in the URL and call it as HTTP rather than HTTPS.
  My questions is this, does anyone know of a way that I can
  detect if the page should be HTTPS and is not without changing our
  configuration and putting SSL certificates on each individual
  server?

  Hey,
  Well the load balancing with the BigIP device is really very
  amazing. I think
  what i liked most was swapping out servers when their lease
  was up, through the
  BigIP manager I just stopped all traffic to a server, shut it
  down, plugged in
  the new one and turned traffic back on. It was really very
  easy.
  The SSL stuff still gives me a headache to think about. but
  I should mention I
  no longer work where I was, plus now I'm all .net C# but
  that's a different
  story.
  I think if I was going to do this all again I would not have
  secured the bigIP
  unit. It was nice to buy one SSL cert for all the servers I
  attached rather
  than one per server, but getting the SSL sites to work
  properly was a headache.
  We also use windows file replication where now I would go
  with like a pair of
  Dell MD1000's mirrored for storage and just have tons of ram
  and cpu on the
  front end units. Depends what you want to spend I guess. I
  think the bigIP unit
  we bought was like 20 grand, i think they are cheaper now
  though.
  Hope I helped.