ASA load balance per destination

Similar Messages

• Load Balancing per packet not working properly

  Hi,
  I am attaching you the configs of issue. There are two links E1 links from
  Karac-1(Serial0/0/0:0 & 0:1) and Karac-2 with (Tunnel10) which were connected with Khask-1w
  Now the issue is that Load balancing per packet were not done sucessfully the NMS snap shot is already attached.
  Load balancin g only configured in KarAC-1 & 2
  What is the resolution of this problem traffic only use on two links but third links were not utilize.
  Kind regards,Salman Ahmed

  Hi Paolo!
  I have one doubt pertaining to per-packet load-sharing. In order to connect my two data-centres- A & B, Site A is having two WAN links and Site B is having two WAN links - one from ISP1 (30Mbps link) and the other from ISP2 (50Mbps link). I am doing static route load balancing using same AD values for both the ISPs. I have configured "ip load-sharing per-packet" on both the outgoing interfaces.
  The load is getting distributed equally across both the links but total bandwidth utilization across both the links is not going beyond 30Mbps. The combined bandwidth of both links is 80Mbps (50+30). However links are not getting fully utilized even though heavy load is there on the links. Can you please tell me how to make full use of both the wan links at both the ends? OR Can you tell me how I can distribute the traffic across both the links with full utilization without using per-packet load sharing. Moreover, my links can be configured statically only at both the ends.

• ASA LOAD BALANCE

  HELLO,
  ANYONE KNOWS WHAT DEVICE TO USE TO DO ASA LOAD BALANCING?
  THANKS

  no.
  i have 2 physical asa5520. we are thingking of creating 2 context on each asa and configure the ff
  asa1
  context A - active
  context B - passive
  asa2
  context A - passive
  context B - active
  thereby we will be having 2 asa's with diff ip address on the outside.
  we want the traffic comming in to our web servers to be load balance bet this 2 asa's
  thanks

• ASA Load-Balancing intriguing question

  I have a setup where the inside interface may be in the same private subnet, but the outside interfaces, are most likely in different public subnets.
  For example. inside on both ASA: 192.168.1.1 and 192.168.1.2 /24 and the public connected even to two different ISPs.
  My guess is that I would probably lose the possibility for failover of the master for load-balancing, in case this ASA goes down, but nevertheless, I would be still interested in that users connect to the same public ip, and that the master gives the fqdn of the other ASA, and balance their Anyconnect entry into the network between both ASAs. Does this works this way?
  I mean, does this vpn load-balance feature talks only accross the inside network, or it needs to have same outside subnet mask? Is it a trick of the mask in the interface? 
  If not, is there a way around that? like this, if use a bogus outside interface and tunnel it somehow to the other outside in the other ASA, will still the offering of fqdn be on, so that the client connects to the other "real" public IP? 

  you cant route based on source ip with firewall only with router possiable by PBR
  you can make to static routes each one point to deffrent router with deffrent metric
  in this case it will make the topology like active standby which not good in your case
  but you can use sub interfaces on your ASA intis case make each subinterface in deffrent subnet and deffrent security level
  and let each subinterface use deffrent hsrp instance
  or there is another way
  IF you dont use VPN on your ASA u can achive it by useing multiple context
  in multiple context you gonna separate your firewall virtualy
  so if you have two vlans in your inside network (two deffrent subnets)
  then each subnet will use deffrent firewall virtually
  u goona divide the internal interface to two subinterfaces
  and you can use one outside interface shred between the context or also separate it to two subinterfaces
  and allocate those interface to each context
  so you gonna deal with each context as deffrent firewall
  and you can use deffrent HSRP instance on each context
  but with multiple context you cant use VPN on the firewall
  *****use the following method*****
  THE OTHER WAY WHICH ALSO I SUGIST YOU TO TRY IT WHICH IS THE Transparent Firewall
  in the case your firewall will operate in L2 mode
  so you can use the routers HSRP IPS AS there is no firewall in the path
  which i thnk helpful in you case aslo
  in transperante mode the defaultgate way for your client will be the hsrp IP because the firewall will not have any IPs exept for managment
  also the useres will be in the same IP subnet as the gateway in your case HSRP VIP
  and also you can control the network security through the firewall normally
  try this way and let me know
  see the following link for configuration
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml
  please, Rate if helpful

• Aggressive Load Balancing Per SSI

  Hey team,
  I was looking through some docs but couldn't find out "WHEN" aggressive load balancing would be available per SSID on a WLC.  Does anyone have any feedback on this particular topic?  We have some legacy clients and we want to segregate them via WLAN and have the feature available when necessary without supplicants etc.
  Thanks in advance!
  bigjess

  Hi bigjess,
  Available as of 6.0.188.0 with 6.0.196.0 being the current maintenance release.
  See http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn6_0_188.html#wp598887
  -Matt

• Per Packet load Balancing in Cisco Switches

  Hi Team,
  Can we enable per packet load balancing/sharing in cisco 3560 and 4948 Switches ? I can see two routes are installed in routing table for a destination prefix but for traffic to specific destination is not going across both the link. The option what i am getting  in command line is ip load-sharing per-destination but not  ip load-sharing per-packet.
  Please do let me know is there any option to do per-packet load balancing
  I have tried disabling route-cache, cef etc.. no result.
  Rgds
  Rama

  Hi Ramachandra,
  On both these platforms per packet load balancing is not surpported.  it is a feature mostly seen in routers.
  it can use the following variables for the load sharing hash  (but the per packet is never used)
  Source ip
  Dest ip
  Source tcp port
  Dest tcp port
  so you can configure flow based sharing based on above parameters on both the switches.
  The more random variables going into the hash equation the more likely of an even distribution across links.
  The src/dst ports in the equation gives us this randomization. If the same (static) variables go into the hash, the
  same link is chosen.
  Follow this link for more details:
  http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/25sg/configuration/guide/cef.html#wp1150531
  cheers,
  sandeep

• Load balancing via CHOC12/STS3

  Hi, our customer has a connection between 2 x 12012 via the 4 embedded channels of CHOC12/STS3 module.As every subinterface has its own ip-subnet we have 4 equal paths to every destinations.
  Customer wants to configure dCEF per-packet load balancing and is concerned if he can get packet sequence problems for his VoIP applications like it may happen on 'normal' equal path cost connections when load balancing per-packet instead of per-destination.
  Does anybody know if this can be a concern on the embedded channels ?
  Regards Guenther

  Generally speaking, for a given source-destination pair, with Per-packet load balancing enabled, packets might take different paths which could introduce reordering of packets. Thus Per-packet load balancing is inappropriate for voice over IP traffic and also for certain other types of data traffic that require packets received to be in sequence. For more information please see
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_configuration_guide_chapter09186a00800ca62c.html#3589. Whether the CHOC12/STS3 module has some special meachanism built in to take care of this is unknown to me. Per-packet load balancing via CEF is not supported on Engine 2 Gigabit Switch Router (GSR) line cards (LCs).

• Shared public IP with same tcp port (round robin/load balance)

  Hi all,
  I want to know if I can do that with my ASA5515-X, I have two servers that can do the same thing, there are SSO servers, What I want to do is to publish the 2 servers on Internet with the same public IP address and on TCP 443.
  Is it supported ? will it works like load balancing per sessions ?
  or do I need to add an HLB between ASA and my SSO servers ?
  Thanks

  Hi Yann,
  You can configure the ASA to allow traffic to your SSO server from outside on two public IP's. Users can hit either of the IP to reach the inside server. Now, load balancing would be achieved based on source devices sending request to public IP's. If source machine son internet use one public IP more to access the server, ASA can't do anything to load balance in such scenario. Here is how you can accomplish this:
  Assuming SSO server on inside is 192.168.16.110 and two public IP's are 192.168.17.110 and 192.168.17.111
  object network SSO_1
  host 192.168.17.110
  object network SSO_2
  host 192.168.17.111
  object network SSO
  host 192.168.16.110
  object service https
  service tcp source eq https
  nat (inside,outside) source static SSO SSO_1 service https https
  nat (inside,outside) source static SSO SSO_2 service https https
  Hostname(config)# sh xl
  2 in use, 6 most used
  Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
  TCP PAT from inside:192.168.16.110 443-443 to outside:192.168.17.110 443-443
      flags sr idle 0:00:06 timeout 0:00:00
  TCP PAT from inside:192.168.16.110 443-443 to outside:192.168.17.111 443-443
      flags sr idle 0:00:08 timeout 0:00:00
  Verification:
  Hostname(config)#    packet-tracer input outside tcp 4.4.4.4 discard 192.168.17.110 443
  Phase: 1
  Type: UN-NAT
  Subtype: static
  Result: ALLOW
  Config:
  nat (inside,outside) source static SSO SSO_1 service https https
  Additional Information:
  NAT divert to egress interface inside
  Untranslate 192.168.17.110/443 to 192.168.16.110/443
  Phase: 2
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group outside in interface outside
  access-list outside extended permit ip any any
  Additional Information:
  Phase: 3
  Type: CONN-SETTINGS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 4
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 5
  Type: NAT
  Subtype: rpf-check
  Result: ALLOW
  Config:
  nat (inside,outside) source static SSO SSO_1 service https https
  Additional Information:
  Phase: 6
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 7
  Type: FLOW-CREATION
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 3670, packet dispatched to next module
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  output-interface: inside
  output-status: up
  output-line-status: up
  Action: allow
  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  Hostname(config)#    packet-tracer input outside tcp 4.4.4.4 discard 192.168.17.111 443
  Phase: 1
  Type: UN-NAT
  Subtype: static
  Result: ALLOW
  Config:
  nat (inside,outside) source static SSO SSO_2 service https https
  Additional Information:
  NAT divert to egress interface inside
  Untranslate 192.168.17.111/443 to 192.168.16.110/443
  Phase: 2
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group outside in interface outside
  access-list outside extended permit ip any any
  Additional Information:
  Phase: 3
  Type: CONN-SETTINGS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 4
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 5
  Type: NAT
  Subtype: rpf-check
  Result: ALLOW
  Config:
  nat (inside,outside) source static SSO SSO_1 service https https
  Additional Information:
  Phase: 6
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 7
  Type: FLOW-CREATION
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 3671, packet dispatched to next module
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  output-interface: inside
  output-status: up
  output-line-status: up
  Action: allow
  Sourav

• Email notifications and load balancing

  We are load balancing 2 OMS's. The problem is email notifications have embedded links that have the OMS that sent the notification instead of the virtual hostname set-up for the load balancer. The OMS's have been set-up to use the load balancer per the OEM Advanced Configuration and from an agent/Web console perspective, everything is working fine and using the load balanced hostname. Does anyone know where to modify the email notifications so the links point to the load balanced URL rather then the individual OMS host that sent the notification?

  Thanks, but I was actually asking about the links that OEM has in the email content sent out as part of a notification. (So you can click the link in the notification and it takes you to the appropriate spot in the Grid console). I've since heard from Oracle support that modifying these embedded links to use the load balanced hostname (rather than the individual OMS hostname) is not possible and is something they say they're working on for 11g.

• Cisco 886VA - Multiple PPPoE Line Load Balancing

  Dear Cisco Community,
  due to the need of increased bandwidth a customer ordered three ADSL6000/576Kbit lines from the same ISP. Dial-in is done with PPPoE and the IP is not static.
  - Is it possible to load balance between the three ISP lines with this router as the Cisco 886VA-K9 (Advanced IP Services) doesnt support PFR/OER I want to load balance per session, meaning each TCP session takes the same path, the next TCP session takes second path, next TCP session takes third path, then first path again and so on.
  - I did read the tutorials avaiable, but they don't discuss how the lines are used in round-robin fashion, just how to distribute different traffic on different lines. (https://supportforums.cisco.com/document/32186/dual-internet-links-nating-pbr-and-ip-sla?page=1) or (http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/100658-ios-nat-load-balancing-2isp.html)
  - How would you solve this challenge?
  Relevant config so far:
  vlan 1
   name #LAN#
  vlan 2
   name #WAN-Uplink1#
  vlan 3
   name #WAN-Uplink2#
  interface FastEthernet0
   description #LAN#
   switchport access vlan 1
  interface FastEthernet2
   description #WAN-Uplink1#
   switchport access vlan 2
   no ip address
   pppoe enable
   pppoe-client dial-pool-number 20
  interface FastEthernet3
   description #WAN-Uplink2#
   switchport access vlan 3
   no ip address
   pppoe enable
   pppoe-client dial-pool-number 30
  interface ATM0
   description #WAN-Uplink3#
   no ip address
   logging event atm pvc state
   logging event atm pvc autoppp
   logging event subif-link-status
   no atm ilmi-keepalive
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   dsl enable-training-log delay 0
   dsl bitswap both
  interface ATM0.1 point-to-point
   bandwidth 550
   bandwidth receive 6000
   pvc pvc 1/32
    pppoe enable
    pppoe-client dial-pool-number 10
    vbr-nrt 500 500 1
    service-policy out WAN-Control1-Parent
  interface Vlan1
   description #LAN#
   ip address 172.16.1.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
  interface Dialer1
   description #WAN-Dialer1#
   bandwidth 550
   bandwidth receive 6000
   ip address negotiated
   ip mtu 1492
   ip nat outside
   ip virtual-reassembly in
   encapsulation ppp
   ip tcp adjust-mss 1452
   dialer pool 20
   dialer idle-timeout 0
   ppp authentication chap pap callin
   ppp chap hostname XXX
   ppp chap password XXX
   ppp pap sent-username XXX
   ppp ipcp dns request accept
   ppp ipcp route default
   ppp ipcp address accept
   no cdp enable
   service-policy output WAN-Control2-Parent
  interface Dialer2
   description #WAN-Dialer2#
   bandwidth 550
   bandwidth receive 6000
   ip address negotiated
   ip mtu 1492
   ip nat outside
   ip virtual-reassembly in
   encapsulation ppp
   ip tcp adjust-mss 1452
   dialer pool 30
   dialer idle-timeout 0
   ppp authentication chap pap callin
   ppp chap hostname XXX
   ppp chap password XXX
   ppp pap sent-username XXXX
   ppp ipcp dns request accept
   ppp ipcp route default
   ppp ipcp address accept
   no cdp enable
   service-policy output WAN-Control3-Parent
  interface Dialer3
   description #WAN-Dialer3-ATM#
   bandwidth 550
   bandwidth receive 6000
   ip address negotiated
   ip mtu 1492
   ip nat outside
   ip virtual-reassembly in
   encapsulation ppp
   ip tcp adjust-mss 1452
   dialer pool 10
   dialer idle-timeout 0
   ppp authentication chap pap callin
   ppp chap hostname XXX
   ppp chap password 7 XXX
   ppp pap sent-username xxx
   ppp ipcp dns request accept
   ppp ipcp route default
   ppp ipcp address accept
   no cdp enable
  ip nat inside source route-map ISP1 interface Dialer1 overload
  ip nat inside source route-map ISP2 interface Dialer2 overload
  ip nat inside source route-map ISP3 interface Dialer3 overload
  route-map ISP1 permit 10
   match ip address 100
   match interface Dialer1
  route-map ISP2 permit 10
   match ip address 100
   match interface Dialer2
  route-map ISP3 permit 10
   match ip address 100
   match interface Dialer3
  access-list 100 remark #NAT-LIST#
  access-list 100 permit ip 172.16.1.0 0.0.0.255 any
  Thank you for helping.

  Hey there,
  I managed to fulfill my requirement..
  If its a cluster on same machine or across machines, this should work
  1. Login to machine, cd $DOMAIN_HOME
  2. mkdir -p Apex_lsn_config/AdminServer Apex_lsn_config/<MS1> Apex_lsn_config/<MS2> # MS1 and MS2 are the Managed Server names as appropriate
  #If you are planning for cluster spawning MS's across machines, make sure you create the dir's on step 2 for each machine respectively. (in my case $DOMAIN_HOME is not shared)
  3. Copy apex-config.xml from the /tmp/apex or whatever location you have it currently to Apex_lsn_config/<MS1> Apex_lsn_config/<MS2>
  4. cd $DOMAIN_HOME/bin; cp -p SetDomainEnv.sh SetDomainEnv.sh.orig #Backup the file
  5. Append -Djava.io.tmpdir in SetDomainEnv.sh as below for JAVA_OPTIONS # Do it on both machine if you are not sharing DOMAIN_HOME and planning cluster across machines
  -Djava.io.tmpdir=$DOMAIN_HOME/APEX_CONFIG/${SERVER_NAME}
  Hint: Search for "iterativeDev" and append the same line with -Djava.jo.tmpdir
  6. Modify "java.io.tmpdir" from the web.xml file of apex.war as below and re-deploy the war
  <context-param>
       <param-name>config.dir</param-name>
       <param-value>${java.io.tmpdir}</param-value>
  </context-param>
  7. Bounce Weblogic Admin and Manged Servers. Make sure to tail the Managed Server log to see apex-config.xml is picked from the new location.
  8. Brew a Coffee for yourself :)
  - You find the instructions on creating a cluster from weblogic documentation, the steps mentioned above are only to overcome the bdb locking issue whilst creating a cluster.
  Did it help?
  Edited by: Oratime on Mar 25, 2013 2:44 AM

• Dev6 Server Load Balancing

  Hi
  I try to install Load Balancing with Dev6/Patch2 and OAS4.0.7.1
  on 4 Machines with WinNT Server 4 SP 5. I tried to do it as
  described in the documentation. But I did not succeed. It seems
  to be that the Doc is not complete or wrong. Could somebody give
  an example how to set up the LB Servers and Clients as NT
  Services ?
  Thank's in advance
  Charly
  null

  Hi Steven,
  No LACP and SLB are different.
  LACP is the Link Aggregation Control Protocol, which is the protocol used within the IEEE 802.3ad (now 802.1AX) Link Aggregation mechanism to control the bundling and unbundling of the physical links into an aggregate link.
  Server Load Balancing is a feature in IOS to load balance traffic destined to a virtual IP across a group of real IP. From Configuring Server Load Balancing:
  The SLB feature is a Cisco IOS-based solution that provides IP server load balancing. Using the IOS SLB feature, the network administrator defines a virtual server that represents a group of real servers in a cluster of network servers known as a server farm.
  Server Load Balancing is effectively what the Cisco Application Control Engine (ACE) etc., does but in IOS.
  Regards

• 2 load balancing process in one router ?

  Dear,
  Please I have case and I want your help for this case
  Our enterprise company has 7 modems (adsl+sdsl)
  we want to reach internet access continuty so we will do load balancing betwen this modems by router support feature of load balance
  when I searched about this router I found multi wan router CISC0 RV 016
  that support up to 7 modems load balanced together
  but in reality I want to load balance between the first 3 modems to act as one modem to some users
  and load balance between the other 4 modems to act as one modems for other users
  (I mean I want one router act as 2 routers independent of each other each one do load balancing process)
  So I want router support minmum 2 loadbalancing process
  If CISCO RV 016 support this feature please tell me how?
  and if not,please give me examples to another CISCO routers support this feature
  I appreciate your reply
  Thanks in advance

  Hi,
  you can load-balance per IP prefix  with PBR( not available on RV016 I think) but I'm not sure you can use multiple interfaces for a particular prefix with this method. I'll try to lab it up this evening and let you know.
  Regards.
  Alain

• Load Balancing using Virtual IP on DMZ interface of 5520 ASA

  We want to achieve a load balancing scenario using Virtual IP on DMZ interface on a Cisco ASA 5520.
  The IPs we are going to use on DMZ are 10.15.1.2 and 10.15.1.3
  These IPs are going to be NATted to all inside IPs.
  Lets say our outside IP is X.X.X.X
  This IP points to 10.15.1.2 and 10.15.1.3 with .2 being the primary and .3 being the secondary.
  When I hit the outside IP, it should point me to .2 and that .2 should take me to the inside IPs.
  I need configuration assistance with that.

  Hi Pratik,
  The ASA does not support having 1 global/translated IP address on the outside mapped to multiple local/real IP addresses on the DMZ. If it did, the ASA would have no way of deciding if traffic destined to X.X.X.X is really meant for 10.15.1.2 or 10.15.1.3. For this scenario, you should use a dedicated load balancer or a router that supports policy-based routing.
  -Mike

• VPN load balancing and ASA !!!

  Hi netpros,
  I have a couple of questions about this and hope you might be able to assist me.
  1.- Are VPN load balancing and failover (Active/Active) mutually exclusive ..? I mean they can't be used at the same time correct ..?
  2.- How does the ASA handle the return traffic from the Internal LAN towards the remote client .. Because the cluster only requires ONE public virtual IP address, which will work for incoming packets .. but what about the return traffic which has knowledge of the DHCP scope's default gateway IP address only .. ? How gets the returned packet redirected from the default gateway IP address to the respective ASA internal IP address .?
  3.- VPN load balancing only applies to remote clients using easy VPN technology (easy vpn client, hardware client , pIX using easy vpn client etc ) and does not work with static LAN-LAN tunnel .. correct ..?
  Your comments are much appreciated

  Hi Gilbert ..
  1.- Thanks I wanted to make sure.
  2.- I know that .. my question is in regards the return packets .. for example if I have the below IP schema:
  ASA1: Public 20.20.20.20
  Private 192.168.1.1
  ASA2: Public 20.20.20.21
  Private 192.168.1.2
  Cluster virutal IP: 20.20.20.10
  Default gateway for segment 192.168.1.0 is 192.168.1.1
  Let's say that a vpn client tries to connect and the cluster instructs the client to connect to ASA2 20.20.20.21. The packets reach the internal server at 192.168.1.100. The internal server then sends the return packets back to the client by forwarding them to its default gateway which is 192.168.1.1 (ASA1). Here is my question .. how does the cluster handles this because the return packet are supposed to be directed to ASA2 192.168.1.2
  3.- Any idea about this one ..?
  Cheers,

• ASA 5520 VPN load balancing with Active/Standby failover on 2 devices only...

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  This topic has been beat to death, but I did not see a real answer. Here is configuration:
  1) 2 x ASA 5520, running 8.2
  2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces
  3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration.
  4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?
  This sounds trivial, but I cannot find a clear answer (without testing this); and many people are confusing the issue. Here are some examples of confusion. These do not apply to my scenario.
  Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not
  The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?
  In any case, any experts out there that can answer question? TIA!

  Wow, some good info posted here (both questions and some answers). I'm in a similar situation with a couple of vpn load-balanced pairs... my goal was to get active-standby failover up and running in each pair- then I ran into this thread and saw the first post about the unique IP addr pools (and obviously we can't have unique pools in an active-standby failover rig where the complete config is replicated). So it would seem that these two features are indeed mutually exclusive. Real nice initial post to call this out.
  Now I'm wondering if the ASA could actually handle a single addr pool in an active-standby fo rig- *if* the code supported the exchange of addr pool status between the fo members (so they each would know what addrs have been farmed out from this single pool)? Can I get some feedback from folks on this? If this is viable, then I suppose we could submit a feature request to Cisco... not that this would necessarily be supported anytime soon, but it might be worth a try. And I'm also assuming we might need a vip on the inside int as well (not just on the outside), to properly flip the traffic on both sides if the failover occurs (note we're not currently doing this).
  Finally, if a member fails in a std load-balanced vpn pair (w/o fo disabled), the remaining member must take over traffic hitting the vip addr (full time)... can someone tell me how this works? And when this pair is working normally (with both members up), do the two systems coordinate who owns the vip at any time to load-balance the traffic? Is this basically how their load-balancing scheme works?
  Anyway, pretty cool thread... would really appreciate it if folks could give some feedback on some of the above.
  Thanks much,
  Mike