ASA load balance per destination
Hello,
I have an ASA with version 8.4.4.1 connected via a switch to two routers and I have two default routes on the ASA pointing to the two routers.
The question is : Does the ASA load balance the traffic onto the two routers per-destination or per-packet?
As in routers, CEF load balances the connection per-destination by default. So, what about the ASA regardless of the hardware.
Regards,
George
No. Everything will go to lowest cost route. Matthew
Similar Messages
-
Load Balancing per packet not working properly
Hi,
I am attaching you the configs of issue. There are two links E1 links from
Karac-1(Serial0/0/0:0 & 0:1) and Karac-2 with (Tunnel10) which were connected with Khask-1w
Now the issue is that Load balancing per packet were not done sucessfully the NMS snap shot is already attached.
Load balancin g only configured in KarAC-1 & 2
What is the resolution of this problem traffic only use on two links but third links were not utilize.
Kind regards,Salman AhmedHi Paolo!
I have one doubt pertaining to per-packet load-sharing. In order to connect my two data-centres- A & B, Site A is having two WAN links and Site B is having two WAN links - one from ISP1 (30Mbps link) and the other from ISP2 (50Mbps link). I am doing static route load balancing using same AD values for both the ISPs. I have configured "ip load-sharing per-packet" on both the outgoing interfaces.
The load is getting distributed equally across both the links but total bandwidth utilization across both the links is not going beyond 30Mbps. The combined bandwidth of both links is 80Mbps (50+30). However links are not getting fully utilized even though heavy load is there on the links. Can you please tell me how to make full use of both the wan links at both the ends? OR Can you tell me how I can distribute the traffic across both the links with full utilization without using per-packet load sharing. Moreover, my links can be configured statically only at both the ends. -
HELLO,
ANYONE KNOWS WHAT DEVICE TO USE TO DO ASA LOAD BALANCING?
THANKSno.
i have 2 physical asa5520. we are thingking of creating 2 context on each asa and configure the ff
asa1
context A - active
context B - passive
asa2
context A - passive
context B - active
thereby we will be having 2 asa's with diff ip address on the outside.
we want the traffic comming in to our web servers to be load balance bet this 2 asa's
thanks -
ASA Load-Balancing intriguing question
I have a setup where the inside interface may be in the same private subnet, but the outside interfaces, are most likely in different public subnets.
For example. inside on both ASA: 192.168.1.1 and 192.168.1.2 /24 and the public connected even to two different ISPs.
My guess is that I would probably lose the possibility for failover of the master for load-balancing, in case this ASA goes down, but nevertheless, I would be still interested in that users connect to the same public ip, and that the master gives the fqdn of the other ASA, and balance their Anyconnect entry into the network between both ASAs. Does this works this way?
I mean, does this vpn load-balance feature talks only accross the inside network, or it needs to have same outside subnet mask? Is it a trick of the mask in the interface?
If not, is there a way around that? like this, if use a bogus outside interface and tunnel it somehow to the other outside in the other ASA, will still the offering of fqdn be on, so that the client connects to the other "real" public IP?you cant route based on source ip with firewall only with router possiable by PBR
you can make to static routes each one point to deffrent router with deffrent metric
in this case it will make the topology like active standby which not good in your case
but you can use sub interfaces on your ASA intis case make each subinterface in deffrent subnet and deffrent security level
and let each subinterface use deffrent hsrp instance
or there is another way
IF you dont use VPN on your ASA u can achive it by useing multiple context
in multiple context you gonna separate your firewall virtualy
so if you have two vlans in your inside network (two deffrent subnets)
then each subnet will use deffrent firewall virtually
u goona divide the internal interface to two subinterfaces
and you can use one outside interface shred between the context or also separate it to two subinterfaces
and allocate those interface to each context
so you gonna deal with each context as deffrent firewall
and you can use deffrent HSRP instance on each context
but with multiple context you cant use VPN on the firewall
*****use the following method*****
THE OTHER WAY WHICH ALSO I SUGIST YOU TO TRY IT WHICH IS THE Transparent Firewall
in the case your firewall will operate in L2 mode
so you can use the routers HSRP IPS AS there is no firewall in the path
which i thnk helpful in you case aslo
in transperante mode the defaultgate way for your client will be the hsrp IP because the firewall will not have any IPs exept for managment
also the useres will be in the same IP subnet as the gateway in your case HSRP VIP
and also you can control the network security through the firewall normally
try this way and let me know
see the following link for configuration
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml
please, Rate if helpful -
Aggressive Load Balancing Per SSI
Hey team,
I was looking through some docs but couldn't find out "WHEN" aggressive load balancing would be available per SSID on a WLC. Does anyone have any feedback on this particular topic? We have some legacy clients and we want to segregate them via WLAN and have the feature available when necessary without supplicants etc.
Thanks in advance!
bigjessHi bigjess,
Available as of 6.0.188.0 with 6.0.196.0 being the current maintenance release.
See http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn6_0_188.html#wp598887
-Matt -
Per Packet load Balancing in Cisco Switches
Hi Team,
Can we enable per packet load balancing/sharing in cisco 3560 and 4948 Switches ? I can see two routes are installed in routing table for a destination prefix but for traffic to specific destination is not going across both the link. The option what i am getting in command line is ip load-sharing per-destination but not ip load-sharing per-packet.
Please do let me know is there any option to do per-packet load balancing
I have tried disabling route-cache, cef etc.. no result.
Rgds
RamaHi Ramachandra,
On both these platforms per packet load balancing is not surpported. it is a feature mostly seen in routers.
it can use the following variables for the load sharing hash (but the per packet is never used)
Source ip
Dest ip
Source tcp port
Dest tcp port
so you can configure flow based sharing based on above parameters on both the switches.
The more random variables going into the hash equation the more likely of an even distribution across links.
The src/dst ports in the equation gives us this randomization. If the same (static) variables go into the hash, the
same link is chosen.
Follow this link for more details:
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/25sg/configuration/guide/cef.html#wp1150531
cheers,
sandeep -
Load balancing via CHOC12/STS3
Hi, our customer has a connection between 2 x 12012 via the 4 embedded channels of CHOC12/STS3 module.As every subinterface has its own ip-subnet we have 4 equal paths to every destinations.
Customer wants to configure dCEF per-packet load balancing and is concerned if he can get packet sequence problems for his VoIP applications like it may happen on 'normal' equal path cost connections when load balancing per-packet instead of per-destination.
Does anybody know if this can be a concern on the embedded channels ?
Regards GuentherGenerally speaking, for a given source-destination pair, with Per-packet load balancing enabled, packets might take different paths which could introduce reordering of packets. Thus Per-packet load balancing is inappropriate for voice over IP traffic and also for certain other types of data traffic that require packets received to be in sequence. For more information please see
http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_configuration_guide_chapter09186a00800ca62c.html#3589. Whether the CHOC12/STS3 module has some special meachanism built in to take care of this is unknown to me. Per-packet load balancing via CEF is not supported on Engine 2 Gigabit Switch Router (GSR) line cards (LCs). -
Shared public IP with same tcp port (round robin/load balance)
Hi all,
I want to know if I can do that with my ASA5515-X, I have two servers that can do the same thing, there are SSO servers, What I want to do is to publish the 2 servers on Internet with the same public IP address and on TCP 443.
Is it supported ? will it works like load balancing per sessions ?
or do I need to add an HLB between ASA and my SSO servers ?
ThanksHi Yann,
You can configure the ASA to allow traffic to your SSO server from outside on two public IP's. Users can hit either of the IP to reach the inside server. Now, load balancing would be achieved based on source devices sending request to public IP's. If source machine son internet use one public IP more to access the server, ASA can't do anything to load balance in such scenario. Here is how you can accomplish this:
Assuming SSO server on inside is 192.168.16.110 and two public IP's are 192.168.17.110 and 192.168.17.111
object network SSO_1
host 192.168.17.110
object network SSO_2
host 192.168.17.111
object network SSO
host 192.168.16.110
object service https
service tcp source eq https
nat (inside,outside) source static SSO SSO_1 service https https
nat (inside,outside) source static SSO SSO_2 service https https
Hostname(config)# sh xl
2 in use, 6 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from inside:192.168.16.110 443-443 to outside:192.168.17.110 443-443
flags sr idle 0:00:06 timeout 0:00:00
TCP PAT from inside:192.168.16.110 443-443 to outside:192.168.17.111 443-443
flags sr idle 0:00:08 timeout 0:00:00
Verification:
Hostname(config)# packet-tracer input outside tcp 4.4.4.4 discard 192.168.17.110 443
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static SSO SSO_1 service https https
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.17.110/443 to 192.168.16.110/443
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside in interface outside
access-list outside extended permit ip any any
Additional Information:
Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static SSO SSO_1 service https https
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3670, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Hostname(config)# packet-tracer input outside tcp 4.4.4.4 discard 192.168.17.111 443
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static SSO SSO_2 service https https
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.17.111/443 to 192.168.16.110/443
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside in interface outside
access-list outside extended permit ip any any
Additional Information:
Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static SSO SSO_1 service https https
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3671, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
Sourav -
Email notifications and load balancing
We are load balancing 2 OMS's. The problem is email notifications have embedded links that have the OMS that sent the notification instead of the virtual hostname set-up for the load balancer. The OMS's have been set-up to use the load balancer per the OEM Advanced Configuration and from an agent/Web console perspective, everything is working fine and using the load balanced hostname. Does anyone know where to modify the email notifications so the links point to the load balanced URL rather then the individual OMS host that sent the notification?
Thanks, but I was actually asking about the links that OEM has in the email content sent out as part of a notification. (So you can click the link in the notification and it takes you to the appropriate spot in the Grid console). I've since heard from Oracle support that modifying these embedded links to use the load balanced hostname (rather than the individual OMS hostname) is not possible and is something they say they're working on for 11g.
-
Cisco 886VA - Multiple PPPoE Line Load Balancing
Dear Cisco Community,
due to the need of increased bandwidth a customer ordered three ADSL6000/576Kbit lines from the same ISP. Dial-in is done with PPPoE and the IP is not static.
- Is it possible to load balance between the three ISP lines with this router as the Cisco 886VA-K9 (Advanced IP Services) doesnt support PFR/OER I want to load balance per session, meaning each TCP session takes the same path, the next TCP session takes second path, next TCP session takes third path, then first path again and so on.
- I did read the tutorials avaiable, but they don't discuss how the lines are used in round-robin fashion, just how to distribute different traffic on different lines. (https://supportforums.cisco.com/document/32186/dual-internet-links-nating-pbr-and-ip-sla?page=1) or (http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/100658-ios-nat-load-balancing-2isp.html)
- How would you solve this challenge?
Relevant config so far:
vlan 1
name #LAN#
vlan 2
name #WAN-Uplink1#
vlan 3
name #WAN-Uplink2#
interface FastEthernet0
description #LAN#
switchport access vlan 1
interface FastEthernet2
description #WAN-Uplink1#
switchport access vlan 2
no ip address
pppoe enable
pppoe-client dial-pool-number 20
interface FastEthernet3
description #WAN-Uplink2#
switchport access vlan 3
no ip address
pppoe enable
pppoe-client dial-pool-number 30
interface ATM0
description #WAN-Uplink3#
no ip address
logging event atm pvc state
logging event atm pvc autoppp
logging event subif-link-status
no atm ilmi-keepalive
no ip redirects
no ip unreachables
no ip proxy-arp
dsl enable-training-log delay 0
dsl bitswap both
interface ATM0.1 point-to-point
bandwidth 550
bandwidth receive 6000
pvc pvc 1/32
pppoe enable
pppoe-client dial-pool-number 10
vbr-nrt 500 500 1
service-policy out WAN-Control1-Parent
interface Vlan1
description #LAN#
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface Dialer1
description #WAN-Dialer1#
bandwidth 550
bandwidth receive 6000
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 20
dialer idle-timeout 0
ppp authentication chap pap callin
ppp chap hostname XXX
ppp chap password XXX
ppp pap sent-username XXX
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
service-policy output WAN-Control2-Parent
interface Dialer2
description #WAN-Dialer2#
bandwidth 550
bandwidth receive 6000
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 30
dialer idle-timeout 0
ppp authentication chap pap callin
ppp chap hostname XXX
ppp chap password XXX
ppp pap sent-username XXXX
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
service-policy output WAN-Control3-Parent
interface Dialer3
description #WAN-Dialer3-ATM#
bandwidth 550
bandwidth receive 6000
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 10
dialer idle-timeout 0
ppp authentication chap pap callin
ppp chap hostname XXX
ppp chap password 7 XXX
ppp pap sent-username xxx
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
ip nat inside source route-map ISP1 interface Dialer1 overload
ip nat inside source route-map ISP2 interface Dialer2 overload
ip nat inside source route-map ISP3 interface Dialer3 overload
route-map ISP1 permit 10
match ip address 100
match interface Dialer1
route-map ISP2 permit 10
match ip address 100
match interface Dialer2
route-map ISP3 permit 10
match ip address 100
match interface Dialer3
access-list 100 remark #NAT-LIST#
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
Thank you for helping.Hey there,
I managed to fulfill my requirement..
If its a cluster on same machine or across machines, this should work
1. Login to machine, cd $DOMAIN_HOME
2. mkdir -p Apex_lsn_config/AdminServer Apex_lsn_config/<MS1> Apex_lsn_config/<MS2> # MS1 and MS2 are the Managed Server names as appropriate
#If you are planning for cluster spawning MS's across machines, make sure you create the dir's on step 2 for each machine respectively. (in my case $DOMAIN_HOME is not shared)
3. Copy apex-config.xml from the /tmp/apex or whatever location you have it currently to Apex_lsn_config/<MS1> Apex_lsn_config/<MS2>
4. cd $DOMAIN_HOME/bin; cp -p SetDomainEnv.sh SetDomainEnv.sh.orig #Backup the file
5. Append -Djava.io.tmpdir in SetDomainEnv.sh as below for JAVA_OPTIONS # Do it on both machine if you are not sharing DOMAIN_HOME and planning cluster across machines
-Djava.io.tmpdir=$DOMAIN_HOME/APEX_CONFIG/${SERVER_NAME}
Hint: Search for "iterativeDev" and append the same line with -Djava.jo.tmpdir
6. Modify "java.io.tmpdir" from the web.xml file of apex.war as below and re-deploy the war
<context-param>
<param-name>config.dir</param-name>
<param-value>${java.io.tmpdir}</param-value>
</context-param>
7. Bounce Weblogic Admin and Manged Servers. Make sure to tail the Managed Server log to see apex-config.xml is picked from the new location.
8. Brew a Coffee for yourself :)
- You find the instructions on creating a cluster from weblogic documentation, the steps mentioned above are only to overcome the bdb locking issue whilst creating a cluster.
Did it help?
Edited by: Oratime on Mar 25, 2013 2:44 AM -
Hi
I try to install Load Balancing with Dev6/Patch2 and OAS4.0.7.1
on 4 Machines with WinNT Server 4 SP 5. I tried to do it as
described in the documentation. But I did not succeed. It seems
to be that the Doc is not complete or wrong. Could somebody give
an example how to set up the LB Servers and Clients as NT
Services ?
Thank's in advance
Charly
nullHi Steven,
No LACP and SLB are different.
LACP is the Link Aggregation Control Protocol, which is the protocol used within the IEEE 802.3ad (now 802.1AX) Link Aggregation mechanism to control the bundling and unbundling of the physical links into an aggregate link.
Server Load Balancing is a feature in IOS to load balance traffic destined to a virtual IP across a group of real IP. From Configuring Server Load Balancing:
The SLB feature is a Cisco IOS-based solution that provides IP server load balancing. Using the IOS SLB feature, the network administrator defines a virtual server that represents a group of real servers in a cluster of network servers known as a server farm.
Server Load Balancing is effectively what the Cisco Application Control Engine (ACE) etc., does but in IOS.
Regards -
2 load balancing process in one router ?
Dear,
Please I have case and I want your help for this case
Our enterprise company has 7 modems (adsl+sdsl)
we want to reach internet access continuty so we will do load balancing betwen this modems by router support feature of load balance
when I searched about this router I found multi wan router CISC0 RV 016
that support up to 7 modems load balanced together
but in reality I want to load balance between the first 3 modems to act as one modem to some users
and load balance between the other 4 modems to act as one modems for other users
(I mean I want one router act as 2 routers independent of each other each one do load balancing process)
So I want router support minmum 2 loadbalancing process
If CISCO RV 016 support this feature please tell me how?
and if not,please give me examples to another CISCO routers support this feature
I appreciate your reply
Thanks in advanceHi,
you can load-balance per IP prefix with PBR( not available on RV016 I think) but I'm not sure you can use multiple interfaces for a particular prefix with this method. I'll try to lab it up this evening and let you know.
Regards.
Alain -
Load Balancing using Virtual IP on DMZ interface of 5520 ASA
We want to achieve a load balancing scenario using Virtual IP on DMZ interface on a Cisco ASA 5520.
The IPs we are going to use on DMZ are 10.15.1.2 and 10.15.1.3
These IPs are going to be NATted to all inside IPs.
Lets say our outside IP is X.X.X.X
This IP points to 10.15.1.2 and 10.15.1.3 with .2 being the primary and .3 being the secondary.
When I hit the outside IP, it should point me to .2 and that .2 should take me to the inside IPs.
I need configuration assistance with that.Hi Pratik,
The ASA does not support having 1 global/translated IP address on the outside mapped to multiple local/real IP addresses on the DMZ. If it did, the ASA would have no way of deciding if traffic destined to X.X.X.X is really meant for 10.15.1.2 or 10.15.1.3. For this scenario, you should use a dedicated load balancer or a router that supports policy-based routing.
-Mike -
VPN load balancing and ASA !!!
Hi netpros,
I have a couple of questions about this and hope you might be able to assist me.
1.- Are VPN load balancing and failover (Active/Active) mutually exclusive ..? I mean they can't be used at the same time correct ..?
2.- How does the ASA handle the return traffic from the Internal LAN towards the remote client .. Because the cluster only requires ONE public virtual IP address, which will work for incoming packets .. but what about the return traffic which has knowledge of the DHCP scope's default gateway IP address only .. ? How gets the returned packet redirected from the default gateway IP address to the respective ASA internal IP address .?
3.- VPN load balancing only applies to remote clients using easy VPN technology (easy vpn client, hardware client , pIX using easy vpn client etc ) and does not work with static LAN-LAN tunnel .. correct ..?
Your comments are much appreciatedHi Gilbert ..
1.- Thanks I wanted to make sure.
2.- I know that .. my question is in regards the return packets .. for example if I have the below IP schema:
ASA1: Public 20.20.20.20
Private 192.168.1.1
ASA2: Public 20.20.20.21
Private 192.168.1.2
Cluster virutal IP: 20.20.20.10
Default gateway for segment 192.168.1.0 is 192.168.1.1
Let's say that a vpn client tries to connect and the cluster instructs the client to connect to ASA2 20.20.20.21. The packets reach the internal server at 192.168.1.100. The internal server then sends the return packets back to the client by forwarding them to its default gateway which is 192.168.1.1 (ASA1). Here is my question .. how does the cluster handles this because the return packet are supposed to be directed to ASA2 192.168.1.2
3.- Any idea about this one ..?
Cheers, -
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
This topic has been beat to death, but I did not see a real answer. Here is configuration:
1) 2 x ASA 5520, running 8.2
2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces
3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration.
4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?
This sounds trivial, but I cannot find a clear answer (without testing this); and many people are confusing the issue. Here are some examples of confusion. These do not apply to my scenario.
Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not
The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?
In any case, any experts out there that can answer question? TIA!Wow, some good info posted here (both questions and some answers). I'm in a similar situation with a couple of vpn load-balanced pairs... my goal was to get active-standby failover up and running in each pair- then I ran into this thread and saw the first post about the unique IP addr pools (and obviously we can't have unique pools in an active-standby failover rig where the complete config is replicated). So it would seem that these two features are indeed mutually exclusive. Real nice initial post to call this out.
Now I'm wondering if the ASA could actually handle a single addr pool in an active-standby fo rig- *if* the code supported the exchange of addr pool status between the fo members (so they each would know what addrs have been farmed out from this single pool)? Can I get some feedback from folks on this? If this is viable, then I suppose we could submit a feature request to Cisco... not that this would necessarily be supported anytime soon, but it might be worth a try. And I'm also assuming we might need a vip on the inside int as well (not just on the outside), to properly flip the traffic on both sides if the failover occurs (note we're not currently doing this).
Finally, if a member fails in a std load-balanced vpn pair (w/o fo disabled), the remaining member must take over traffic hitting the vip addr (full time)... can someone tell me how this works? And when this pair is working normally (with both members up), do the two systems coordinate who owns the vip at any time to load-balance the traffic? Is this basically how their load-balancing scheme works?
Anyway, pretty cool thread... would really appreciate it if folks could give some feedback on some of the above.
Thanks much,
Mike
Maybe you are looking for
-
Computer not assigning IP to WRT54G
I just bought a Linksys WRT54G wireless yesterday, replacing my Linksys BEFSR41(wired). I went through the setup wizard and everything went smooth. It detected the router and everything, and I can log into the router page using 192.168.1.1. My proble
-
Aperture stopped launching this morning. I tried the fix suggested in another thread of replacing the Prokit.framework with an older version but it didn't work for me. Unfortunatley that discussion is marked as answered and has gone off in another di
-
External harddrive won't shut down in Mavericks
Hi all, I have an external hard drive from which I boot OS X Mavericks on my iMac late 2007. In all previous OS X versions, the harddrive would shut down whenever I put my iMac to sleep. Now with Mavericks it won't anymore. It will constantly spin wh
-
I was just restructuring some of my code and I decided to extract interfaces out of some concrete classes. I'm not really expecting to have multiple impls for them, but I did it to reinforce thinking in interfaces and to have a good view over the cla
-
Import from Excel to Project - blanks cells are having dates automatically added
Hi. I'm very new to Project but have started setting up a Roadmap using it which is working fairly well so far, although have hit one snag. I have data in Excel: it is a list of projects with 4 columns containing the dates of various stages (planning