Load Balancing behind firewall

Hi,
Can load balancing be done behind a firewall with CSS. For e.g. CSS (on the outside of the firewall) load balances on the servers connected to the DMZ of the firewall.
If so, should there be any performance issues. And what if the firewall had IPS functionality as well.
Regards.

It can be done. You need to make sure
1. Holes are punched in the Firewall form probe traffic (CSS -> Servers)
2. Return traffic from the servers should not Bypass the CSS. (Firewall should handover the responses from servers back to CSS). You can use source nat on CSS for this purpose.
Thanks
Syed Iftekhar Ahmed

Similar Messages

Question on how does load balancing work on Firewall Services Module (FWSM)

Hi everyone,
I have a question about the algorithm of load balancing on Firewall Services Module (FWSM).
I understand that the FWSM supports up to three equal cost routes on the same interface for load balancing.
Please see a lower simple figure.
outside inside
--- L3 SW --+
|
MHSRP +--- FWSM ----
|
--- L3 SW --+
I am going to configure the following default routes on FWSM point to each MHSRP VIP (192.168.13.29 and 192.168.13.30) for load balancing.
route outside_1 0.0.0.0 0.0.0.0 192.168.13.29 1
route outside_1 0.0.0.0 0.0.0.0 192.168.13.30 1　　　　　　
However I don't know how load balancing work on FWSM.
On FWSM, load balancing work based on
Per-Destination ?
Per-Source ?
Per-Packet ?
or
Other criteria ?
Your information would be greatly appreciated.
Best Regards,

Configuring "tunnel default gateway' on the concentrator allowed traffic to flow as desired through the FWSM.
FWSM is not capable of performing policy based routing, the additional static routes for the VPN load balancing caused half of the packets to be lost. As a result, it appears that the VPN concentrators will not be able to load balance.

ISE 1.2 and load balancing...

I'm looking into configuring load balancing behind F5's. I know this can be done and have read the documentation on what is required. I still have a couple of questions about it:
1. When you load balance the RADIUS traffic do you have to create separate VIP's for the auth and accounting ports (1812 & 1813)?
2. Are there good configuration examples out there for VIP Configs and setting up the VIP's to run in routed mode?
3. Are there any caveats or lessons learned that other people have experienced besides what is documented?
Thanks.

jgroup is how db sync/ replication work in 1.2, which replace the queuing mechnism in 1.1.
but this should not be related to PSN LB? do you mean you want to lb requests between several PSNs?
using F5 or ACE can help, also 1.2 support wildcard certificate will help address the cert warning problem.
Sent from Cisco Technical Support iPad App

CSS11501 load-balancing IPv6 services

Hi,
I'm new to content networking and load-balancing.
I am setting up a new nameserver network site and have the following equipment:
- Cisco 2811
- Cicso CSS11501
- Cisco Catalyst 2960
This site will have 2 nameservers which I want to load-balance behind the CSS11501. The network will be setup like this:
Internet
|
Cisco 2811
|
CSS11501
|
Cisco 2960
|
Nameservers 1 & 2
The CSS11501 will be in routed mode and will have a publicly addressed VIP (eg, 203.x.x.x) for the DNS service and the name servers will be privately addressed (eg, 10.x.x.10 & 10.x.x.11). I'm hoping this will work fine and serve the requested IPv4 DNS requests.
I would like the nameservers to also operate on IPv6 and serve out IPv6 DNS requests but am not sure the CSS11501 can perform IPv6 service load-balancing.
My question is, does the CSS11501 support IPv6, load-balancing IPv6 service requests?
Thanks in advance.
Richard.

Gilles,
Thanks for the reply.
On another site I was looking at rolling out a Catalyst 6500 CSM module to do the exact same thing as the site I have the CSS11501's at, but it too does not support IPv6 from all I could find. Does the ACE provide all the functionality of the CSM plus IPv6?
Thanks.
Richard.

Using CSM to load-balance two sites

Hi there,
I currently use CSS11500's at two of my sites and I'm able to use source-groups to achieve site load-balancing behind a single VIP. So basically I have a VIP that has servers in both the local site and remote site. Is something like this possible with the CSM? I suppose there's the nat server or nat client commands, but I'd like to be able to maintain original client IP address if possible, or at least maintain the original client IP for connections that stay local to the site.
Thanks,
Brandon

Hello Brandon-
It is not directly possible to pick and choose what servers are natted on the CSM like the CSS and ACE can do.
In the CSM, you configure nat under the serverfarm specifically.
Ex.
serverfarm Client_Nat_Example
nat server
nat client REMOTENAT
real 10.10.10.1
inservice
natpool REMOTENAT 172.16.35.5 172.16.35.5 netmask 255.255.255.0
If you were to devide up the traffic prior to hitting a serverfarm (maybe use a policy that matches specific subnets for your clients), then you could nat to only certain servers.
Ex.
access-list 2 permit 5.5.0.0 0.0.255.255
serverfarm Client-Nat-Example
nat server
nat client REMOTENAT
real 10.10.10.1
inservice
serverfarm No_Nat
nat server
no nat client
real 20.20.20.1
inservice
natpool REMOTENAT 172.16.35.5 172.16.35.5 netmask 255.255.255.0
policy client_remote
serverfarm Client_Nat_Example
client-group 2
vserver HTTP
virtual 172.16.35.7 tcp www
slb-policy client_remote
serverfarm No_Nat
persistent rebalance
inservice
With this config, the CSM checks global access list 2, anything that matches a source of 5.5.x.x subnet would go to the serverfarm with the remote servers. Anything that does not match 5.5.x.x would use the default serverfarm under the vip (No_Nat serverfarm). This is not optimal, but there is no parity between CSM and CSS when it comes to per-server NAT.

Firewall Load Balance using bridged mode ACE

Dear Folks,
I 'd like to load balance 2 ASA using 3 ACE [ Inside,outside,dmz network zone]
I 've seen sample configuration, all of them are running the ACE in the route mode, and asa are running in route mode
Would it be possible to run the ACE in the bridge Mode, because the ip subneted problem, We don't have enough to split,,
by the way if possible,All server that install behind ACE, what is default gateway should Server Point to [ in our case we have 2 independent firewall ] should I create the VIP for both firewall ? or should I just simply set the server's gateway to BVI interface, ?
Please Help Thanks

Thank you very much Gilles,
You 're the man. ;-)
Another question in my case I try to load balance 3 interface firewall [inside,outside,dmz] in order to make the packet return the same firewall it has passed earlier,
What kind of hashing technique do I need to use and Do i need to use mac sticky command ???
I tried to find some configuration sample from cisco website , but i only found with only 2 interface with ACE running source hash and destination hash in each ends,
Thank you very much

Cisco ACE - Firewall load balancing

I am using two sets of ACE load balancers for load balancing traffic across two firewalls (firewall load balancing).
The solution works fine. I have a virtual address of 0.0.0.0 in either direction to match traffci going from the internal users to the internet and vice versa.
The problem is that when I try to manage the load-balanced firewalls (either using SSH (or) HTTPS) from outside, then that connection also gets load balanced and when I try to connect to FW1 then sometimes this connection ends up on FW2 and vice versa and the connection gets dropped. I have a workaround in place where i am using a virtual address per firewall to connect to the real IP address of the firewall.
Is there any other way of managing firewalls (which are defined as real-servers) in a FWLB setup.
Attached is the configuration of the external ACE which has the two firewalls defined as the real-servers.
access-list ALL line 8 extended permit ip any any
probe icmp ICMP-Probe
interval 15
passdetect interval 60
rserver host FW1-ASA
ip address 10.11.71.10
inservice
rserver host FW2
ip address 10.11.71.11
inservice
serverfarm host Firewalls
transparent
predictor leastconns
rserver FW1-ASA
    inservice
rserver FW2
    inservice
serverfarm host Firewalls-NO-LB
rserver FW1-ASA
    inservice
serverfarm host Firewalls-NO-LB1
rserver FW2
    inservice
sticky ip-netmask 255.255.255.255 address source new-sticky
timeout activeconns
serverfarm Firewalls
This is my workaround for connection to the IP address of the firewalls (for management)
class-map match-any FW-Real
2 match virtual-address 10.11.71.254 any
class-map match-any FW-Real2
2 match virtual-address 10.11.71.253 any
class-map type management match-any Remote-Access
201 match protocol telnet any
202 match protocol http any
203 match protocol https any
204 match protocol ssh any
205 match protocol snmp any
206 match protocol icmp any
class-map match-any fwlb
2 match virtual-address 0.0.0.0 0.0.0.0 any
policy-map type management first-match Remote-Management-Policy
class Remote-Access
    permit
policy-map type loadbalance first-match FWLB-No-LB
class class-default
    serverfarm Firewalls-NO-LB
policy-map type loadbalance first-match FWLB-No-LB1
class class-default
    serverfarm Firewalls-NO-LB1
policy-map type loadbalance first-match FWLB-l7slb
class class-default
    serverfarm Firewalls
policy-map multi-match Firewall-No-LB
class FW-Real
    loadbalance vip inservice
    loadbalance policy FWLB-No-LB
policy-map multi-match Firewall-No-LB1
class FW-Real2
    loadbalance vip inservice
    loadbalance policy FWLB-No-LB1
policy-map multi-match int70
class fwlb
    loadbalance vip inservice
    loadbalance policy FWLB-l7slb
interface vlan 70
description "Client side"
ip address 10.11.70.2 255.255.255.0
no icmp-guard
access-group input ALL
access-group output ALL
service-policy input Remote-Management-Policy
service-policy input Firewall-No-LB --> connect to the real IP address of the firewall for management
service-policy input Firewall-No-LB1 --> connect to the real IP address of the firewall for management
service-policy input int70
no shutdown
interface vlan 71
description "Firewall side"
ip address 10.11.71.2 255.255.255.0
mac-sticky enable
no icmp-guard
access-group input ALL
access-group output ALL
service-policy input Remote-Management-Policy
no shutdown

Hello,
as i know, there is no others ways.
You can only reduce your configuration by puting all your class undert the same policy-map:
policy-map multi-match int70
class FW-Real
    loadbalance vip inservice
    loadbalance policy FWLB-No-LB
class FW-Real2
    loadbalance vip inservice
    loadbalance policy FWLB-No-LB1
class fwlb
    loadbalance vip inservice
    loadbalance policy FWLB-l7slb
interface vlan 70
description "Client side"
ip address 10.11.70.2 255.255.255.0
no icmp-guard
access-group input ALL
access-group output ALL
service-policy input Remote-Management-Policy
service-policy input int70
no shutdown

Site behind load balancer - Key not valid for use in specified state

Hi,
I have created a sharepoint application page to access an active end point on ADFS and establish a fedauth session. All works well in single server. But when the page runs behind load balancer with 2 servers, it fails with key not valid for use in specified
state exception. Stickiness is enabled on load balancer. verified that.
I had made few changes to config file in microsoft.identitymodel section to accomodate adfs custom login. This included removing securitytokenhandlers and issuertokenresolvers as well. Is this impacting the encryption/decryption in anyway?
Any pointers would help.
Reference point for my application page : http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=76

Hi,
As I understand, you encountered the error “Key not valid for use in specified state” when ADFS custom login.
In order to run in Windows Azure Web Sites a Web application which uses WIF for handling authentication, you must change the default cookie protection method (DPAPI, not available on Windows Azure Web Sites) to something that will work in a farmed environment
and with the IIS’ user profile load turned off.
1. If you are using the Identity and Access Tools for VS2012, just go to the Configuration tab and check the box “Enable Web farm ready cookies”.
2. If you want to do things by hand, add the following code snippet in your system.identitymodel/identityConfiguration element:
   <securityTokenHandlers>
     <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler,
             System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
      <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler,
            System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
    </securityTokenHandlers>
There is a similar case:
http://stackoverflow.com/questions/19323287/key-not-valid-for-use-in-specified-state-error-for-net-4-5-mvc-4-application
Best regards,
Sara Fan
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected]

IPsec on hosts behind load balancing NAT

Hi,
I have a problem configuring IPsec tunnel between two sites, with one is using NAT for load balancing of TCP Traffic. I've been working on this for hours but i foung myself in a dead end.
I have one router using NAT TCP load balancing of telnet traffic(in real deployment i need ftp load balancing, i am using telnet for testing purposes). This router is connected to another router, where multiple hosts are connected. I need to protect the traffic from those hosts to the server that is load balanced using NAT.
So far i was no able to configure IPSec to work properly with this setup. I have working configuration with IPSec encrypting some traffic not destinated behind NAT, but once I add a line in the traffic specifying access lists on both sides the IPSec stops working(and it wont work from any site of the connection, from behind the NAT or destinated behind the NAT). The access list on the router performing NAT is configured to allow any traffic destinated to some specific addresses and the access list on the router with connected hosts specifies that any connection destinated to the global address, where the server are reachable, should be encrypted.
On the side where the traffic comes from i allways see a debug output like this:
ar 1 05:23:54.294: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.0.10.2, remote= 10.0.10.1,
    local_proxy= 10.0.2.1/255.255.255.255/6/0 (type=1),
    remote_proxy= 195.10.0.1/255.255.255.255/6/23 (type=1),
    protocol= ESP, transform= esp-des esp-sha-hmac (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0xA42ED8F1(2754533617), conn_id= 0, keysize= 0, flags= 0x400A
195.10.0.1 is my global address for the FTP server
on the side where the encryption should be terminated i allways see an output like this:
*Mar 1 05:23:54.130: map_db_find_best did not find matching map
*Mar 1 05:23:54.130: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 10.0.10.1
But i can see that there is a crypto map for address 10.0.10.1
RA#sh cryp map
Crypto Map: "TCP_ENCRYPTION" idb: Serial0/0 local address: 10.0.10.1
I tried to use some of the NAT traversal techniques for IPSec but without any success.
If you have any idea what could be the problem or if you need any additional information or debugging output i will be glad for any help.
Thanks, Adrian

This is a lab scenario and i want to test for my learning how IPSec would work in such a case.
I have tried it but IPSec doesnt work with standard configuration. Below is the configuration
I have configured 2 loopback. on R1: 100.1.1.1
on R2: 200.1.1.1
R1:
crypto isakmp policy 10
auth pre
enc des
hash md5
group 2
crypto isakmp key 0 cisco address 10.1.1.1 (R2's IP)
crypto ipsec transform-set test esp-des esp-md5-hmac
mode tunnel
access-list 101 permit ip host 100.1.1.1 host 200.1.1.1
crypto map test 10 ipsec-isakmp
mat address 101
set peer 10.1.1.1
set transform-set test
ip route 0.0.0.0 0.0.0.0 10.1.0.2
R2:
crypto isakmp policy 10
auth pre
enc des
hash md5
group 2
crypto isakmp key 0 cisco address 10.1.3.1 (R2's IP)
crypto ipsec transform-set test esp-des esp-md5-hmac
mode tunnel
access-list 101 permit ip host 200.1.1.1 host 100.1.1.1
crypto map test 10 ipsec-isakmp
mat address 101
set peer 10.1.3.1 (it will be 10.1.3.1-natted ip right ?)
set transform-set test
ip route 0.0.0.0 0.0.0.0 10.1.1.2
Now when i ping from R1:
ping 200.1.1.1 source 100.1.1.1
its not successful. Why doesnt it work any idea ?

ISE node group behind load balancer

I'm trying to gather info on distributed deployment w/ multiple PSN nodes.
Having read through some documents, it looks like you can put multiple PSN's in a node group, and then place the node group behind a load balancer.
Q1:
Node group config requires multicast.
Cisco ACE LB doesn't support multicast, except in brige mode.
How do people support distributed deployment in node group behind Ciso ACE?
Q2:
User guide says: "We recommend that you have two, three, or a maximum of four nodes in a node group."
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_dis_deploy.html#wp1134272
What if we need more than 4 PSN nodes to support our network & user base?
Q3:
Has anyone been able to implement distributed deployment between two datacenters behind GSS?
If GSS isn't possible, we'll be happy to just have it in working state behind ACE LB.
thx!

I have had close to zero experience with LBs so my answers will be limited:
Q1: I don't think the multicast plays any role with the LB. The multicast address is needed for the ISE nodes for replication
Q2: You will have to create a new node group with a new multicast address
Q3: No help here
Couple of other things to remember:
1. The nodes must be layer 2 adjacent
2. You must use routed mode...no NAT/SNAT. Each node must be reachable directly from the end clients
3. You must perform sticky
4. The Load balancers must be listed as NADs in ISE
Hope this provides some help to you.
Thank you for rating!

Data Centre Interconnection - firewall and load balancer deployment

Hi all,
I've read lots of Cisco docs/white papers on DCI - Layer 2 extension between DCs, but as yet I cannot find any decent information on how best to deploy firewalls and load balancers in such a design. I've seen refs to FHRP isolation on Nexus 7k (and possible 6k if you use DCI block) but nothing on the services elements.
The services element seems to be a complete minefield here:
- active/standby across sites, or deploy resilient pairs in each site?
- how to align optimal traffic flows inbound and ooutbound (RHI, SNAT, etc.)
- best practice suggestions ideally.
Cisco DCI docs seem to always gloss over the fact that most customers would have to deal with firewalls and load balancers here, and simply refer to 'coming soon' for that info.
If anyone has any good suggestions/links to docs explaining detailed implementation info would be much appreciate
Thanks
Phil

You might want to check out this new product called ITD.
Simple and faster solution:
ITD provides :
ASIC based multi-terabit/s L3/L4 load-balancing at line-rate
No service module or external L3/L4 load-balancer needed. Every N7k port can be used as load-balancer.
Redirect line-rate traffic to any devices, for example web cache engines, Web Accelerator Engines (WAE), video-caches, etc.
Capability to create clusters of devices, for example, Firewalls, Intrusion Prevention System (IPS), or Web Application Firewall (WAF), Hadoop cluster
IP-stickiness
Resilient (like resilient ECMP)
VIP based L4 load-balancing
NAT (available for EFT/PoC). Allows non-DSR deployments.
Weighted load-balancing
Load-balances to large number of devices/servers
ACL along with redirection and load balancing simultaneously.
Bi-directional flow-coherency. Traffic from A-->B and B-->A goes to same node.
Order of magnitude OPEX savings : reduction in configuration, and ease of deployment
Order of magnitude CAPEX savings : Wiring, Power, Rackspace and Cost savings
The servers/appliances don’t have to be directly connected to N7k
Monitoring the health of servers/appliances.
N + M redundancy.
Automatic failure handling of servers/appliances.
VRF support, vPC support, VDC support
Supported on both Nexus 7000 and Nexus 7700 series.
Supports both IPv4 and IPv6
N5k / N6k support : coming soon
Blog
At a glance
ITD config guide
Email Query or feedback:[email protected]

How to install licenses on 2 RDSH servers behind F5 load balancer

I want to setup 2 separate RDSH servers behind a F5 load balancer. The load balancer is there to spread out the compute load between 2 VM servers as the application the users are using are somewhat "heavy" in nature. I have 10 users
who will potentially need access all at the same time. How do I install the 10 licenses? Do I install 5 on each server, or do I install all 10 on only one of the servers?

Hi,
You would install all 10 licenses on your RD Licensing server and point your 2 RDSH servers to that. You may installing RD Licensing on whichever server you want, for example, on your RD Connection Broker, or a DC, or on one of the 2 RDSH servers,
etc.
-TP

ISE behind load balancer

I have a question regarding ISE profiling servers that are placed behind a load balancer:
If you have a ISE environment where both computers and users are being authenticated, and Machine Access Restriction (MAR) is enabled (so users can only authenticate on a previously authenticated machine), are the ISE servers aware of all succesfull computer authentications handled by the other ISE servers?
For example:
There are 2 ISE appliances (ISE01 and ISE02) behind a load balancer.
A user starts up his computer, and computer authentication is handled by ISE01 (and the authentication is successful). At the moment the user logs in on that computer, the load balancer chooses ISE02 to authenticate the user.
Will ISE02 be aware that the corresponding computer was already succesfully authenticated on ISE01, so that the user is able to log in? Or will it deny the user authentication because it thinks the computer is not (yet) authenticated and Machine Access Restrictions is enabled?
Kind regards,
Bert

>> they are independant servers that just replicate their configuration.
So a user should authenticate always with the same ISE.
Moreover a load balancer kills profiling since profiling requires you to span some traffic to an ISE <<
Not entirely correct. Policy Service nodes are most certainly supported behind a load balancer which is the intention of a node group. This is often the preferred method for high availability and scaling. In addition to supporting load distribution of RADIUS and other requests, members of a node group maintain a heartbeat to determine if a peer member should fail. If so, the Monitoring node is queried to determine if there are any transient sessions which may require clean-up via RADIUS COA to help ensure that an endpoint is left in a defunt auth state. LB functionality will depend on load balancer used. Cisco ACE for example supports stickiness of RADIUS transactions based on source IP, Calling-Station-ID, or Framed-IP-Address.
The impact of LB on profiling or other Policy Service node functions depends on the service/probe in question. For services like client provisioning, posture, and central web auth, https redirection always occurs back to the node which terminated the RADIUS session, so LB is transparent provided direct access is permitted to the real IP for redirected https trnasactions (RADIUS tranasactions would be sent to virtual IP).
Specific to profiling, SNMP Queries can be triggered and will be sent by Policy Service node that received the RADIUS Accounting Start packet (assumes RADIUS probe enabled) or SNMP Trap (assumes SNMP Trap probe enabled). SPAN is only one data collection method used primarily for HTTP or DHCP capture. Methods other than SPAN/RSPAN are available to capture this data, but if used, then it is correct that there is no specific mechansim to move SPANs from one interface to another in case of NIC or node failure. I believe intelligent taps are available that can accomplish this, or else traffic can be mirrored to multiple nodes at the cost of duplicating profile data.
As noted, replication of MAR cache will be added to ACS 5.4, and no, this feature is not altogether trivial due to the number of transactions and updates that must be replicated and kept in sync across each node performing RADIUS services.
/CH

Load balancing PPTP (Windows 2003) behind CSS 11500

I am wondering if you can load balance PPTP service (TCP port 1723 and GRE) behind CSS 11500, please let me know if anyone as experience with this setup.
Irfan
[email protected]

No. I dont think you can load balance PPTP service behind CSS 11500.

FireWall ( with DMZ ) Load Balance

Hi,
I search CCO and find some Firewall load balance document ( http://www.cisco.com/warp/customer/117/fw_load_balancing.html ), but in this sample both firewall havn`t DMZ. Is there anyone can advise me how about the network diagram and hot to configure CSS if both firewall have DMZ?
Best Regards,

Hi,
There are no issues with the firewalls having DMZ's. The firewall load balancing occours accross firewalls regardless of the firewall interface that the incomming packet is destined for.
Regards Brett

Load Balancing behind firewall

Similar Messages

Maybe you are looking for