Multi-Geography Load-Balancing on ASA

Similar Messages

• VPN load balancing and ASA !!!

  Hi netpros,
  I have a couple of questions about this and hope you might be able to assist me.
  1.- Are VPN load balancing and failover (Active/Active) mutually exclusive ..? I mean they can't be used at the same time correct ..?
  2.- How does the ASA handle the return traffic from the Internal LAN towards the remote client .. Because the cluster only requires ONE public virtual IP address, which will work for incoming packets .. but what about the return traffic which has knowledge of the DHCP scope's default gateway IP address only .. ? How gets the returned packet redirected from the default gateway IP address to the respective ASA internal IP address .?
  3.- VPN load balancing only applies to remote clients using easy VPN technology (easy vpn client, hardware client , pIX using easy vpn client etc ) and does not work with static LAN-LAN tunnel .. correct ..?
  Your comments are much appreciated

  Hi Gilbert ..
  1.- Thanks I wanted to make sure.
  2.- I know that .. my question is in regards the return packets .. for example if I have the below IP schema:
  ASA1: Public 20.20.20.20
  Private 192.168.1.1
  ASA2: Public 20.20.20.21
  Private 192.168.1.2
  Cluster virutal IP: 20.20.20.10
  Default gateway for segment 192.168.1.0 is 192.168.1.1
  Let's say that a vpn client tries to connect and the cluster instructs the client to connect to ASA2 20.20.20.21. The packets reach the internal server at 192.168.1.100. The internal server then sends the return packets back to the client by forwarding them to its default gateway which is 192.168.1.1 (ASA1). Here is my question .. how does the cluster handles this because the return packet are supposed to be directed to ASA2 192.168.1.2
  3.- Any idea about this one ..?
  Cheers,

• Multi-server load balancing

  Hi,
  Currently I'm working on a simple electronic newspaper application. In this application, after login, users can download articles from a digital newspaper. The client application sends content requests to a server-side component in order to retrieve the article.
  In order to have a scalable infrastructure, the server-side of this application is implemented using the multi-server paradigm.
  Our application has to have some very basic load balancing between the servers:
  - the total amount of downloaded bytes over a pre-defined time T has to be calculated for each server.
  - if this value exceeds by 10% the average value for all servers, the request has to be redirected to another server. In this case, the client gets a reference to another (less loaded) server.
  In order to load balance the servers, the number of downloaded bytes over a given period should be tracked, and communicated within the server pool.
  My question is, how can this be implemented using standard Session Beans ? Do I have to use stateless or stateful session beans ?
  Does somebody have some ideas about the design of this application concerning the load balancing functionality ?
  Thanks !
  Filip Blondeel

  Hi
  I want to clerify one thing that,
  whether you want to
  the number of downloaded bytes over a given period should be tracked? and communicated within the server pool with the session beans or what?
  regards
  Santosh Thakur

• Load Balancing Error Message

  We have two ASA 5550's, ver. 8.0.4. We just recently set them up for Load Balancing. Every time the user logins to Cisco VPN client (5.0.03.0560), we got two email notifications for the below message. We got the error messages every time every user logins to the Cisco VPN client
  163>%ASA-3-713128: Connection attempt to VCPIP redirected to VCA peer 192.168.110.18 via load balancing
  163>%ASA-3-713902: Group = office, IP = XX.XXX.XXX.XXX, Removing peer from peer table failed, no match!
  The user was able to access the internal resources. The two ASA's have the exact configurations. Do you have any suggestions how to fix the problem?
  Thanks.
  Debra

  Error Message - %PIX|ASA-3-713128: Connection attempt to VCPIP redirected to VCA peer IP_address via load balancing
  Explanation - This message appears when a connection attempt has been made to the VCPIP and has been redirected to a less loaded peer using load balancing.
  Recommended Action - None required.
  Error Message - %PIX|ASA-3-713902 descriptive_event_string
  Explanation - This system log message could have several possible text strings describing an error. This may be the result of a configuration error either on the headend or remote access client.
  Recommended Action - It might be necessary to troubleshoot the configuration to determine the cause of the error. Check the ISAKMP and crypto map configuration on both peers.

• Firewall Load Balance using bridged mode ACE

  Dear Folks,
  I 'd like to load balance 2 ASA using 3 ACE [ Inside,outside,dmz network zone]
  I 've seen sample configuration, all of them are running the ACE in the route mode, and asa are running in route mode
  Would it be possible to run the ACE in the bridge Mode, because the ip subneted problem, We don't have enough to split,,
  by the way if possible,All server that install behind ACE, what is default gateway should Server Point to [ in our case we have 2 independent firewall ] should I create the VIP for both firewall ? or should I just simply set the server's gateway to BVI interface, ?
  Please Help Thanks

  Thank you very much Gilles,
  You 're the man. ;-)
  Another question in my case I try to load balance 3 interface firewall [inside,outside,dmz] in order to make the packet return the same firewall it has passed earlier,
  What kind of hashing technique do I need to use and Do i need to use mac sticky command ???
  I tried to find some configuration sample from cisco website , but i only found with only 2 interface with ACE running source hash and destination hash in each ends,
  Thank you very much

• ASA 5520 VPN load balancing with Active/Standby failover on 2 devices only...

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  This topic has been beat to death, but I did not see a real answer. Here is configuration:
  1) 2 x ASA 5520, running 8.2
  2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces
  3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration.
  4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?
  This sounds trivial, but I cannot find a clear answer (without testing this); and many people are confusing the issue. Here are some examples of confusion. These do not apply to my scenario.
  Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not
  The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?
  In any case, any experts out there that can answer question? TIA!

  Wow, some good info posted here (both questions and some answers). I'm in a similar situation with a couple of vpn load-balanced pairs... my goal was to get active-standby failover up and running in each pair- then I ran into this thread and saw the first post about the unique IP addr pools (and obviously we can't have unique pools in an active-standby failover rig where the complete config is replicated). So it would seem that these two features are indeed mutually exclusive. Real nice initial post to call this out.
  Now I'm wondering if the ASA could actually handle a single addr pool in an active-standby fo rig- *if* the code supported the exchange of addr pool status between the fo members (so they each would know what addrs have been farmed out from this single pool)? Can I get some feedback from folks on this? If this is viable, then I suppose we could submit a feature request to Cisco... not that this would necessarily be supported anytime soon, but it might be worth a try. And I'm also assuming we might need a vip on the inside int as well (not just on the outside), to properly flip the traffic on both sides if the failover occurs (note we're not currently doing this).
  Finally, if a member fails in a std load-balanced vpn pair (w/o fo disabled), the remaining member must take over traffic hitting the vip addr (full time)... can someone tell me how this works? And when this pair is working normally (with both members up), do the two systems coordinate who owns the vip at any time to load-balance the traffic? Is this basically how their load-balancing scheme works?
  Anyway, pretty cool thread... would really appreciate it if folks could give some feedback on some of the above.
  Thanks much,
  Mike

• Load balancing with multi datasource

  Hi,
  I have created two data sources and created a multi data source with those with "Load-Balancing" set as algorithm.
  I have two kinds of urls where I can use those links to test the load balancing
  1. survey page which will take only 2 sec to submit
  2. registration page which will take more than 10 sec to submit.
  My problem here is everything is fine with survey page and also sequence is in order in the database but with the registration page, all data is getting inserted through the first data source.
  Thanks,

  Did you check the test connections in reserve option and also failover when busy option for the datasources and multi datasource?

• ASA Vpn load balancing and failover

  Hello all.
  We have two asa5520 configured as primary and standby unit in failover configuration, and all is working properly.
  Is it possible, with this configuration (failover), to configure vpn load balancing/clustering?
  Thanks
  Daniele

  Hi Wajih,
  I am testing this right now. In my case, I want A and B are failover pairs with A as the primary, (A+B) together as one member in cluster with other ASAs C and D. Here is what I found out:
  1, After the active/standby working, configure the load banlancing in the master, the cluster IP worked.
  2, after "no fail ac" in A, cluster IP stopped working. Seems the vpn load banlance configuration wasn't copied over to the standby B.
  3, In the active (now it's the secondary B), manually configure vpn load banlancing, then the cluster IP worked.
  4, "no fail ac" in the B and make the the primary A active, the cluster IP still worked.
  5, after "no fail ac" in A, cluster IP stopped working. show vpn load and found out the load banlance was disabled.
  6, "no fail ac" in the B and make the the primary A active, the cluster IP then worked.
  Based on above, the secondary B's VPN load banlance will be disabled when B becomes active in failover role. If that's true, these two features can't work together. Or maybe there is some configuration I'm missing -- maybe having C or D as the cluster master will help. The ASAs are 5510 with 8.4(2)
  Thanks,
  Rick.

• ASA Load-Balancing intriguing question

  I have a setup where the inside interface may be in the same private subnet, but the outside interfaces, are most likely in different public subnets.
  For example. inside on both ASA: 192.168.1.1 and 192.168.1.2 /24 and the public connected even to two different ISPs.
  My guess is that I would probably lose the possibility for failover of the master for load-balancing, in case this ASA goes down, but nevertheless, I would be still interested in that users connect to the same public ip, and that the master gives the fqdn of the other ASA, and balance their Anyconnect entry into the network between both ASAs. Does this works this way?
  I mean, does this vpn load-balance feature talks only accross the inside network, or it needs to have same outside subnet mask? Is it a trick of the mask in the interface? 
  If not, is there a way around that? like this, if use a bogus outside interface and tunnel it somehow to the other outside in the other ASA, will still the offering of fqdn be on, so that the client connects to the other "real" public IP? 

  you cant route based on source ip with firewall only with router possiable by PBR
  you can make to static routes each one point to deffrent router with deffrent metric
  in this case it will make the topology like active standby which not good in your case
  but you can use sub interfaces on your ASA intis case make each subinterface in deffrent subnet and deffrent security level
  and let each subinterface use deffrent hsrp instance
  or there is another way
  IF you dont use VPN on your ASA u can achive it by useing multiple context
  in multiple context you gonna separate your firewall virtualy
  so if you have two vlans in your inside network (two deffrent subnets)
  then each subnet will use deffrent firewall virtually
  u goona divide the internal interface to two subinterfaces
  and you can use one outside interface shred between the context or also separate it to two subinterfaces
  and allocate those interface to each context
  so you gonna deal with each context as deffrent firewall
  and you can use deffrent HSRP instance on each context
  but with multiple context you cant use VPN on the firewall
  *****use the following method*****
  THE OTHER WAY WHICH ALSO I SUGIST YOU TO TRY IT WHICH IS THE Transparent Firewall
  in the case your firewall will operate in L2 mode
  so you can use the routers HSRP IPS AS there is no firewall in the path
  which i thnk helpful in you case aslo
  in transperante mode the defaultgate way for your client will be the hsrp IP because the firewall will not have any IPs exept for managment
  also the useres will be in the same IP subnet as the gateway in your case HSRP VIP
  and also you can control the network security through the firewall normally
  try this way and let me know
  see the following link for configuration
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml
  please, Rate if helpful

• Load Balancing using Virtual IP on DMZ interface of 5520 ASA

  We want to achieve a load balancing scenario using Virtual IP on DMZ interface on a Cisco ASA 5520.
  The IPs we are going to use on DMZ are 10.15.1.2 and 10.15.1.3
  These IPs are going to be NATted to all inside IPs.
  Lets say our outside IP is X.X.X.X
  This IP points to 10.15.1.2 and 10.15.1.3 with .2 being the primary and .3 being the secondary.
  When I hit the outside IP, it should point me to .2 and that .2 should take me to the inside IPs.
  I need configuration assistance with that.

  Hi Pratik,
  The ASA does not support having 1 global/translated IP address on the outside mapped to multiple local/real IP addresses on the DMZ. If it did, the ASA would have no way of deciding if traffic destined to X.X.X.X is really meant for 10.15.1.2 or 10.15.1.3. For this scenario, you should use a dedicated load balancer or a router that supports policy-based routing.
  -Mike

• ASA load balance per destination

  Hello,
  I have an ASA with version 8.4.4.1 connected via a switch to two routers and I have two default routes on the ASA pointing to the two routers.
  The question is : Does the ASA load balance the traffic onto the two routers per-destination or per-packet?
  As in routers, CEF load balances the connection per-destination by default. So, what about the ASA regardless of  the hardware.
  Regards,
  George

  No. Everything will go to lowest cost route. Matthew

• ASA LOAD BALANCE

  HELLO,
  ANYONE KNOWS WHAT DEVICE TO USE TO DO ASA LOAD BALANCING?
  THANKS

  no.
  i have 2 physical asa5520. we are thingking of creating 2 context on each asa and configure the ff
  asa1
  context A - active
  context B - passive
  asa2
  context A - passive
  context B - active
  thereby we will be having 2 asa's with diff ip address on the outside.
  we want the traffic comming in to our web servers to be load balance bet this 2 asa's
  thanks

• WAN Load-Balancing and multi VLAN design

  Hello,
  I need some help to define the design of a specifi LAN-WAN network.
  1) There are 2 independant WAN entries (they have their own ISP-managed router)
  2) I need to load-balanced the requests over the 2 WAN
  3) If possible, the load-balancer must be redundant (GLBP ?)
  4) On the LAN itself, there must be 15 different VLAN
  5) We also need a DHCP solution (also redundant if possible) to provide IP to these VLAN, with unique gateway (the load-balancer)
  What do I need to implement this configuration ?
  And is it possible to configure with as much GUI as possible ?
  Thanks in advance for your help.

  Dear Mike,
  Thank you and welcome to the Small Business Support Community.
  It is possible to configure load balancing with NAT, however in this case, remote internet servers will potentially see sessions from remote hosts behind the SRP541W coming from different source IP addresses (the WAN IP addresses), causing the sessions to be reset unexpectedly.
  The Policy Routing setting you setup is exactly what I would do in your case.
  I hope these answer your question and please do not hesitate to reach me back if there is anything else I may assist you with.
  Kind regards,
  Jeffrey Rodriguez S. .:|:.:|:.
  Cisco Customer Support Engineer
  *Please rate the Post so other will know when an answer has been found.

• Load balancing on an applicaton with multi-ports

  One of our application open 5 ports and other 4 management ports. the ports can not be ranged.
  to load balancing this, I did:
  make seperate contents rules for every port. and all of them use aca.
  Please advice me :
  1. how can I group all the ports into one contents rule?
  2. every rule for a port means the balancing in only by based on specialy port?
  3. Can I balance the load between ports?
  4. for administrator ports, what is the better balancing mothed?
  Any comments will be apprecaited
  Thanks in advance

  Gilles,
  What will be the best keepalive on the services to use in this case?
  I have had a problem where I tried the same setup you have suggested above but what happen is i get a black hole if the service port(s) goes down on one of the servers.
  At the beginning, I used the default ICMP keepalive and then tried the port xx keepalive but because the servers have multiple ports and if the port that is not monitored by keepalive goes down, the content rule still think that the service is still up and this is where I get i blackhole. To get around with the problem I have created multiple services, (one for each port) and configured the subsequent keepalive.
  1. is there a better way of doing it? i,e script
  2. is there any documentation on Cisco website on how to use the scripting tools on CSS?
  Thanks again,
  Ben

• ASA and vpn load balancing

  Hi,
  I am configuring 2 ASA5540 for internet trafic inside to outside ,
  outside to inside (web,smtp) but also vpn load balancing for client to site , site to site and webvpn.
  In the doc I can configure them for internet trafic as Active/Standby or Active/active.
  for vpn : I can use vpn load balancing
  But no information if I want to use the active/passif and vpn load balancing together.
  Any thoughts on which way to go? what is the best thing to do ?
  Regards

  Hi,
  I think that you cannot use an Active/Active configuration for VPN connections as it is stated on Cisco's documentation: "Note: VPN failover is not supported on units that run in multiple context mode as VPN is not supported in multiple context. VPN failover is available only for Active/Standby Failover configurations in single context configurations" available at http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
  Hope it helps