CSS11000 Load Balance over two VPN connections?

Is it possible to have a CSS11000 in a local site perform load balancing and fail over to two different destinations on the internet that require a VPN connection. The VPN will be a router to router VPN using 7206s.
Bruce
mailto:[email protected]

Hello Bruce !
CSS is designed to handle TCP- and UDP based traffic, not IPSec. When handling IPSec traffic Content Switching Module (CSM) inside Catalyst 6500 series is recommended for that purpose.
More info:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/cfgnotes/csm/index.htm
- Tomi

Similar Messages

  • Load balancing over two separate outside routers and two separate WAN Links

    Hi everybody,
    I have one 2851 setup with two separate ISP links and have it configured for failover with BGP.  It works great but doesn't load balance.
    Well now I have to new routers (3925's) to replace the single 2851 and I want to configure them to load balance over separate WAN links.
    Can someone help figure out the best approach to make this happen?  I would really appreciate it.
    Thank you,
    Thomas Reiling

    Disclaimer
    The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
    Liability Disclaimer
    In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
    Posting
    The "best approach", IMO, would be to use PfR (if your routers support it).

  • Two active active ISPs with load balancing, publishing and VPN connection

    Hi,
    I wonder how to enable a scenario where i have to use  two ISP's to share 30/70 load on our internet traffic, have to configure almost 60 internal websites already published using microsoft TMG firewall and connect client VPN connections and site-to-site vpn connections. I know that ASA firewall has limitation when using security contexts. Is good idea that how to achieve this gool?
    I previously tried connecting four sites running ASA devices with this fifth site running Microsoft TMG firewall but i was able to connect only two ASA firewalls using site-to-site VPN, though I was able to connect remaining two as well but last two were not able to access ASA-TMG resources. furthermore behavious of two ASA-TMG connected sites was strange: sometime i was not able to access cross site resources from one machine but was able to do so from another machine.
    I noticed that two of ASA sites connected with TMG site has different internal IP class (e.g site one 192.168.0.* and site two using 172.16.*.*) while remaining two have same class like the first site e.g 192.168.128.* and 192.168.100.*
    Did anyone has experiance connecting TMG-ASA with multiple sites within same IP class scenario?
    OR
    How to enable same features using Cisco devices as they are on a single Microsoft TMG?
    Best,
    Saulat (Contact# 0092-321-4025587)

    Sulat,
    You can load balance between the two ISPs. That is not possible. But, we do have some options that I have discussed here:
    Hope the above link gives you some ideas to utilize both your ISP links.
    -Kureli

  • Load balancing over multiple E3s

    Hi all,
    For the same VP , can I make load balancing over multiple E3s connected bet the BPX 8600 and MGX 8850.
    Asking the question in another way:
    Is there a possibility for load balancing over multiple LSPs (multiple E3 interfaces) in Cell-Mode MPLS...and if possible,plz provide me with any good links for configuration.

    Following link might be useful to you
    http://www.cisco.com/univercd/cc/td/doc/product/wanbu/bpx8600/9_2/ref92/bpxrtag.htm

  • ACE30 load balancing across two slightly different rservers

    Hi,
    is there a possibility to get a load balancing across two rservers so:
    when client sends http://vip/ and it goes to rserver1 then url is sent without change
    when client sends http://vip/ and it goes to rserver2 then url is modified to http://vip/xyz/
    Or maybe load balancing can be done across two serverfarms ?
    thanks

    Ryszard,
    I hope you are doing great.
    I do not think that´s possible since the ACE just load balance the traffic to the servers and once the load balance decision has been taken it will pass the "ball" to the chosen server.
    Think about this, let´s say user A needs to go to Server1 but guess what? based on the load balance decision it was sent to Server2 which unfortunately does not have what the customer was looking for. OK, fine, user A close the connection and tries again but now the Server1 is down then the only available is Server2 then the ACE sends it to Server2 again then user A just decides to leave, you see how bad that can be.
    A better approach would be to have either 2 VIPs ( different IP addresses) or 2 with the same IP address but hearing on another port, perhaps, one port per server.
    Hope this helps!
    Jorge

  • Load Balancing on 3020 VPN concentrator

    I am trying to configure load balancing on two 3020 concentrators. When I configured it, I keep getting the following messages
    LBSSF received GRAT-ARP from duplicate master[0003a08ab42b]
    6167 12/04/2007 16:15:15.240 SEV=3 LBSSF/85 RPT=527
    LBSSF detected duplicate master[0003a08ab42b] and staying MASTER
    6168 12/04/2007 16:15:18.450 SEV=4 LBSSF/49 RPT=529
    LBSSF process dead peer[x.x.x.x (IP address of the secondary box)]
    Does anyone know what is causing this?

    Probably you have IP address conflict on net.

  • Load balancing error 88: Cannot connect to message server (rc=9)

    Hi,
    We are facing a problem in the system object.
    initially we created a system object with loadbalancing template ,and everything worked fine, but after couple of months we found a error "Load balancing error 88: Cannot connect to message server (rc=9)", so we have created a Dedicated application server object which resolved our issue.
    My question is why has this problem occured, and since my client side has lot number of users and we wish to keep the system back to load balancing object.
    How can i make my system object work back, what might be the causes?
    Thanks
    Srivastsa Kondapally

    Load balancing only works if the message server is available and the logon group specified exists as well.  If one of those changes, then it will break until you get the values set correctly.

  • Load balancing between two interfaces on 2811

    Hi,
    We have a 2811 router with VPN and NAT configured. We have two internet connection from different ISPs. The speed of our original connection is 2MB up and down. The speed of our new connection is 1MB up and down. We want to configure load balancing between the two connections. Our new ISP has provided us with a CISCO 837 router. We want to connect that router into our 2811 on one of the free WIC card and then configure load balancing between the two interfaces on our 2811. The third interface has a local address configured. Please suggest where to start. I tried searching on net for any configuration example but I was unable to find any particular example with commands. I am new on CISCO platform. Any help will be hugely appreciated. Thanks in advance.

    Raju,
    you have two choices as far as I can see. If you want to use static routing over the WAN to your branch, you could duplicate your static routes to the branch and point them to the secondary router. You will have two identical sets of static routes in the primary router, one set pointing to the WAN interface and the other one pointing to the secondary router.
    ip route x.x.x.x "WAN-interface"
    ip route x.x.x.x "secondary router"
    ip route y.y.y.y "WAN-interface"
    ip route y.y.y.y "secondary router"
    etc.
    As a result the primary router will have two routes to the branch and will load-balance. If one next-hop fails (either the WAN interface or the secondary router), only the other will be used. If the next-hop comes back up, load-balancing will resume.
    The other choice would be to use EIGRP over the WAN, and make sure the two routers become EIGRP neighbors. Then you can use the "variance" command to achieve unequal cost load-balancing between the two routers. Let me know if you need more information about this, but i think static routes will be sufficient in your situation.
    HTH, Thomas

  • Load balancing between two routers

    I have two routers connected through the LAN connection. The first one is using as routing protocol EIGRP, the other one is part of the managed service and I do not have access to it. I would like to make a load balancing between the two of them by redistributing the static routes in EIGRP. When I tried this, I am loosing the EIGRP entry for this route in the routing table. I would like to have both of them , so we could have traffic sharing. I appreciate if you give me any hints.

    Raju,
    you have two choices as far as I can see. If you want to use static routing over the WAN to your branch, you could duplicate your static routes to the branch and point them to the secondary router. You will have two identical sets of static routes in the primary router, one set pointing to the WAN interface and the other one pointing to the secondary router.
    ip route x.x.x.x "WAN-interface"
    ip route x.x.x.x "secondary router"
    ip route y.y.y.y "WAN-interface"
    ip route y.y.y.y "secondary router"
    etc.
    As a result the primary router will have two routes to the branch and will load-balance. If one next-hop fails (either the WAN interface or the secondary router), only the other will be used. If the next-hop comes back up, load-balancing will resume.
    The other choice would be to use EIGRP over the WAN, and make sure the two routers become EIGRP neighbors. Then you can use the "variance" command to achieve unequal cost load-balancing between the two routers. Let me know if you need more information about this, but i think static routes will be sufficient in your situation.
    HTH, Thomas

  • SUNW.gds for jboss + Load Balancing Group = Failed to connect to host ...

    Hi all!
    In a simple two node cluster (Solaris cluster 3.2) with quorum server I've created a resource for jboss 5.1.0 using SUNW.gds. It is supposed to be load-balanced. To achieve that I've followed instructions from [http://download.oracle.com/docs/cd/E18728_01/html/821-1258/gds-25.html]
    The command I've used to create the resource was:
    clresource create -g scalable-rg -t SUNW.gds -p resource_dependencies=vip -p Scalable=TRUE -p Start_timeout=400 -p Stop_timeout=400 -p Probe_timeout=30 -p Port_list=8080/tcp -p Start_command="/opt/jboss-5.1.0.GA/bin/run.sh -b 0.0.0.0" -p Child_mon_level=0 -p Failover_enabled=TRUE -p Stop_signal=15 -p Load_balancing_policy=LB_STICKY_WILD jboss-rs
    The whole configuration seems to work, but when the second node joins cluster, resource with jboss can't bind to shared ip address. There are many entries in /var/adm/messages like:
    Jan 19 13:46:35 play SC[,SUNW.gds:6,scalable-rg,jboss-rs,gds_svc_start]: [ID 141062 daemon.error] Failed to connect to host vip and port 8080: Connection refused.
    Jan 19 13:46:35 play SC[,SUNW.gds:6,scalable-rg,jboss-rs,gds_svc_start]: [ID 805735 daemon.error] Failed to connect to the host <vip> and port <8080>.
    Jan 19 13:46:37 play SC[,SUNW.gds:6,scalable-rg,jboss-rs,gds_svc_start]: [ID 141062 daemon.error] Failed to connect to host vip and port 8080: Connection refused.
    Jan 19 13:46:37 play SC[,SUNW.gds:6,scalable-rg,jboss-rs,gds_svc_start]: [ID 805735 daemon.error] Failed to connect to the host <vip> and port <8080>.
    Jan 19 13:46:39 play SC[,SUNW.gds:6,scalable-rg,jboss-rs,gds_svc_start]: [ID 141062 daemon.error] Failed to connect to host vip and port 8080: Connection refused.
    Jan 19 13:46:39 play SC[,SUNW.gds:6,scalable-rg,jboss-rs,gds_svc_start]: [ID 805735 daemon.error] Failed to connect to the host <vip> and port <8080>.
    Jan 19 13:46:41 play SC[,SUNW.gds:6,scalable-rg,jboss-rs,gds_svc_start]: [ID 141062 daemon.error] Failed to connect to host vip and port 8080: Connection refused.
    Jan 19 13:46:41 play SC[,SUNW.gds:6,scalable-rg,jboss-rs,gds_svc_start]: [ID 805735 daemon.error] Failed to connect to the host <vip> and port <8080>.
    Jan 19 13:46:43 play SC[,SUNW.gds:6,scalable-rg,jboss-rs,gds_svc_start]: [ID 141062 daemon.error] Failed to connect to host vip and port 8080: Connection refused.
    Jan 19 13:46:43 play SC[,SUNW.gds:6,scalable-rg,jboss-rs,gds_svc_start]: [ID 805735 daemon.error] Failed to connect to the host <vip> and port <8080>.
    However, after some time, it finally somehow binds to shared ip and port 8080.
    Is this something I should be worried about? Or it is a normal thing, since e.g. it takes some time to bring the interface with shared ip up? I've never had to install such configuration, and I don't have neither intuiton, nor the experience. Any help would be very appreciated.
    Thanks a bunch,
    Bart

    Hi, a couple of things to check:
    - did you check that both JBOSS instances were up and running?
    - can you check in the logs (on both nodes) when a message saying something like "service .... registered..." showed up. This should show up for both JBOSS instances. From the time of the second "registered" message, the load balancer should sending incoming requests to both instances using its distribution mechanism
    - did you check the vip address on one of the nodes on an external interface and on lo0 on the other
    - connection refused looks like a server problem; can you connect to the JBOSS instance locally?
    Hth
    Hartmut

  • SA520 load balancing for multiple IPSec connections

    Hello,
    I just would like to ask whether the following is possible or what other people think might be the best way to go.
    Let me describe the current setup:
    Our company has a main office which is connected to the internet through an SA520W appliance, and two satellite offices which have other IPSec routers installed. The SA520W is currently only connected through the main WAN interface to a DSL line (DSL 16000). The tunnels are established and it all works quite well.
    However, we have experienced lags and slow connections when someone transfers a larger file from the main office to the outside (either satellite office or, say, some FTP server on the internet). This is of course due to the limited upload capacity of the DSL line. Therefore, I am thinking about getting another DSL line for use as the optional WAN port of the SA520W.
    My question is: Is it possible to establish two IPSec tunnels from a satellite office to the main office, one to the main WAN port and one to the optional WAN port of the SA520W? The two main hurdles I see with that is that a) the SA520W can only bind IPSec to one port and b) the network mask of each IPSec phase 2 needs to identify the subnet uniquely. Am I correct with the assumption that this cannot be done?
    If so, the only way I can see right now is to bind all IPsec traffic to the optional port and have at least main office <-> internet traffic separated from all IPSec traffic. Or has anyone a better solution to this?
    Thanks in advance,
    Roland

    I honestly don't recall any issues with the load balancing. I've personally never seen an issue, opened a case for one or observed a problem in my lab using multiple T1 lines...
    That's not to say there could be a problem. But as far as I know this aspect of the router is solid.
    The only thing I strongly dislike about most modern DSL deployments, the ISP like to give out "residential" or "business" gateways. These things just make life terrible since it is a router/nat device.
    -Tom
    Please rate helpful posts

  • [Project] Load Balance mutiple DSL PPPOE connections using CSR1000v in Datacenter

    Hello everyone
    I was about to begin a new project (just for fun) and wanted to get everyones input.  I live way out in the middle of nowhere where they have to pipe in sunshine and the best connection I can get is a 6mbs DSL connection. Currently I have two DSL connections in the house the end goal is to effectively bond them together.
    My plans on how to accomplish this is having a couple Cisco ISR routers (probably 2821's) connect to a CSR1000v in a Datacenter that I have a colocated server.  My thoughts were to set up a couple of GRE tunnels and use EIGRP to load balance between my house and the datacenter.  I'd use one of my public IP's in the datacenter as the exit point.
    In my head I was thinking I'd probably need to hooked up this way:
                           2821 -> DSL Modem \
    Home Router -> Switch <                 Internet -> CSR1000v
                           2821 -> DSL Modem /
    I have probably 16 or so IP's in the datacenter free so I could probably assign a /29 to my home side of the 2821's if need be.
    You all think this would be the best way to go about it?  Or is there a way to do it on the home side with a single 3825?  I went with two because I figured I'd run into trouble with different gateways.
    Thanks!
    Brandon

  • ACE module not load balancing across two servers

    We are seeing an issue in a context on one of our load balancers where an application doesn't appear to be load balancing correctly across the two real servers.  At various times the application team is seeing active connections on only one real server.  They see no connection attempts on the other server.  The ACE sees both servers as up and active within the serverfarm.  However, a show serverfarm confirms that the load balancer sees current connections only going to one of the servers.  The issue is fixed by restarting the application on the server that is not receiving any connections.  However, it reappears again.  And which server experiences the issue moves back and forth between the two real servers, so it is not limited to just one of the servers.
    The application vendor wants to know why the load balancer is periodically not sending traffic to one of the servers.  I'm kind of curious myself.  Does anyone have some tips on where we can look next to isolate the cause?
    We're running A2(3.3).  The ACE module was upgraded to that version of code on a Friday, and this issue started the following Monday.  The ACE has 28 contexts configured, and this one context is the only one reporting any issues since the upgrade.
    Here are the show serverfarm statistics as of today:
    ACE# show serverfarm farma-8000
    serverfarm     : farma-8000, type: HOST
    total rservers : 2
                                                    ----------connections-----------
           real                  weight state        current    total      failures
       ---+---------------------+------+------------+----------+----------+---------
       rserver: server#1
           x.x.x.20:8000      8      OPERATIONAL  0          186617     3839
       rserver: server#2
           x.x.x.21:8000      8      OPERATIONAL  67         83513      1754

    Are you enabling sticky feature? What kind of predictor are you using?
    If sticky feature is enabled and one rserver goes down, traffic will leans to one side.
    Even after the rserver retuns to up, traffic may continue to lean due to sticky feature.
    The behavior seems to depend on the configuration.
    So, please let me know a part of configuration?
    Regards,
    Yuji

  • Load Balance/Share two SDSL lines into one 3030

    Hi ...
    I am trying to find out if anyone knows the answer to the following.
    I have two 2800's each connected to separate SDSL lines tunnelling through to a 3030 concentrator.
    I would like both routers to load balance/load share and be on the same network. I thought of setting up GLBP but cannot get my head around how the traffic will come back from the 3030 concentrator.
    many thanks....

    I think you can use 3030 concentrator to balance/share the load on per session basis.
    Following link may help you regarding GLBP
    http://www.cisco.com/en/US/products/ps6600/products_data_sheet0900aecd803a546c.html

  • Load Balancing on two server nodes at the sender side...

    Hi Experts,
    I am sending a huge message (this message is being splitted into multiple messages depending on the load and zipped, this whole process of splitting and zipping is done by the scripts) zipped from sender side , when I am monitoring in message monitoring tool I found that all the load is on one server node and other server node is free as we have two server nodes , how to distribute the message equally between these two nodes.
    The same Load balancing is working properly at the receiver end (load is getting distributed between two server nodes). Not sure why this is not the case at the sender side.
    Please throw some light on this issue.
    Thanks a lot for your kind help in advance.

    Hi,
    Follow this blog this may helpful to you
    Handling Large files in XI
    /people/pooja.pandey/blog/2005/10/17/number-formatting-to-handle-large-numbers
    file size can be handeled in client java proxy and the message is parsed in xi. this will not have much of performance issue. but yes when the smae is handeled by xi. and yes this scenario can be efficiently handeled from java client proxy
    limit on the number of 'field-set' lines you can send to the ITS?
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/72e2bb90-0301-0010-e883-c390ad8a975a
    Processing huge file loads through XI
    Edited by: Venkataramesh Boppana on May 17, 2008 12:54 AM

Maybe you are looking for

  • Problem sending emails with Mac Mail 1.3.11

    Desperately in need of help. I'm able to receive but not send email using Mac Mail. I keep getting an error message: "This message could not be delivered and will remain in your Outbox until it can be delivered. The sender address [email protected] w

  • How do I import artwork to a streaming link in iTunes

    I bring up the file using apple-I and try to drag the jpeg file to artwork, but... on a streaming link/file, artwork is greyed out dragging the jpeg file to square in the info box doesnt work either Is it an unsupported feature?

  • Have to click multiple times to select in sync window

    I am having a problem syncing my devices (iphone 4, ipod nano 6th).  In iTunes when I go to the sync screen for either device and I click on the artists they do not get a check mark next to them.  If I click multiple times (some times as many as 6 or

  • My iphone 4 is crashing every time i try to cut a picture.

    From today my iphone 4 is crashing every time I try to cut a picture. It looks like I'm shutting it off (with that white circle rotating in the middle of the screen), but after 10-15 sec it goes back to my homescreen. What is this? I've noticed that

  • Premier Media Cache Files eating up Drive Space

    Using Premiere Pro CS 5.5, Media Cache files are eating up the Boot Drive. I keep media and render files on 2 additional internal drives. When I tried to move the Media Cache files from inside Premiere Pro, it resulted in an inability to read the dri