NIC load balancing

Similar Messages

• ISE 1.2 - Multiple NICs/Load Balancing for DHCP Probe

  Hello guys
  Just prepping an ISE 1.2 patch 8 setup in our organization. I am going for the virtual appliances with multiple NICs. It will be a distributed deployment with 4 x PSNs behind a load balancer and there is no requirement for wireless or guest user at the moment. I've got 2 points I will like to get some guidance on:
  Our DC has a dedicated mgmt network and I plan to IP the gig0 interface of the PANs, MNTs and PSNs from this subnet. All device admin, clustering, config replication, etc will be over this interface. However, RADIUS/probe/other user traffic to the ISE PSNs will be over the gig1 interface which will be addressed from another L3 network. Is this a supported configuration in ISE?
  I intend to use the DHCP probe as part of device profiling and will ideally like to have just an additional ip helper to add to our switch SVI config. Also, it will appear that WLCs can only be configured for 2 DHCP servers for a given network so another consideration for when we bringing our WLAN in scope. We however use ACE load balancers within our DC and from what I have read, they do not support DHCP load balancing. Are there any workarounds to using the DHCP probe with multiple PSNs without having to add each node as an ip helper/DHCP server on the NADs?
  Thanks in advance
  Sayre

  Hello Sayre-
  For Question #1:
  Management is restricted to GigabitEthernet 0 and that cannot be changed so you should be good there
  You can configure Radius and Profiling to be enabled on other interfaces
  Even though you are not using guest services yet, you can dedicate an interface just for that. As a result, you can separate guest traffic completely from your production network
  Take a look at this link for more info:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_c-ports.html
  For Question #2
  If you are using a Cisco WLC and running code 7.4 and newer you don't need to mess with the IP helper configurations. 
  The controller can be configured to act as a collector for client profiling and interact with the DHCP thread along with the RADIUS accounting task that is running on the controller. The controller receives a copy of the DHCP request packet sent from the DHCP thread and parses the DHCP packet for two options:
  –Option 12—HostName of the client
  –Option 60—The Vendor Class Identifier
  After this information is gathered from the DHCP_REQUEST packet, a message is formed by the controller with these option fields and is sent to the RADIUS accounting thread, which is in turn transmitted to the ISE in the form of an interim accounting message.
  Both DHCP and HTTP profiling settings are located under the "Advanced" configuration tab in the WLC
  On the other hand, you can also use Anycast for profiling. You can check out some of Cisco Live's sessions for more info on that. Here is one that is from a couple of years (There are more recent ones that are available as well):
  http://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.pdf
  I hope this helps!
  Thank you for rating helpful posts!

• Dual Nic Load Balancing Solution

  Hi,
  I have a very peculiar situation. I'm currently a college student with access to an almost unlimited network. But the problem is that the network limits each IP to 30 Mb/s. I have 2 nics at my disposal and have tried two options so far:
  bonding
  two independent nic, let network manager take care of it
  I set-up bonding and got it working, but it seems limited to roughly the same speeds as a single nic, but I can see the network being slit between the two nics evenly. This is what lead me to conclude that since I have a single ip address it's limiting it by IP not mac addresses. Here I might occasionally spike above the limits but not consistently.
  With the network manager solution, Im basically thrown at random and can occasionally get higher than limited speeds. Specially with torrenting clients.
  Are there any other useful options that I could explore, my next stop was a load balancing routing table but I want to see what you guys know before I keep trying weirder solutions.
  Thanks in advance

  falconindy wrote:There's no problem here. Please don't try to circumvent the policies your network admins are defining.
  Oh come on, we'd all do the same thing if we could double our available bandwidth! 
  I really can't provide much of a solution.  I did this back with my dialup days, many many eons ago.  I used 2 phone lines bonded to get my 56k speeds doubled.  It was a gigantic pain in the rear to set up back then, as well.  However, I'm lucky to remember what I had for breakfast, so remembering how I did something 15+ years ago is pretty much out of the question.
  I'm sure linux can do this, but I'm guessing one of the BSDs would have information about how to do this written up somewhere.  This is right up BSD's alley.  They have all kinds of load-balancing code built into their network stack (Amazon actually had a lot of trouble keeping up with demand when they were getting big, so they wrote up their own networking stack, which has since been returned to the FreeBSD project, iirc).  So it might be worth your time to check that out and possibly run a mini BSD setup on an old computer or something to route the bandwidth to an internal network (of course this would likely require three NICs in a single computer...so more complexity there too).  Some of the problem you are running into may be due to the network just being congested, which could explain the differing speeds.  Then there may be an issue with certain servers not being able to push out 60 MB/s worth of data to you, for whatever reason. 
  Either way, please keep us posted about what you do and how you do it, I'm anxious to find out the final solution here.
  Best of luck to you.

• Load balancing over multiple NIC cards

  Is it possible to setup some kind of load balancing at the OS level on a V240 running Solaris 8?
  I've got all 4 NIC cards populated (2 each on different subnets with clients coming from both subnets and elsewhere) and I've like to setup some load balancing at the operating system to (dynamically) route the load across the most appropriate interface. Is this possible? I feel I should be getting more bang for my buck here, but I just cant find any info on what I'd like to do.
  Thanks for the help.

  You can use IPMP in order to have load balancing for the outbound traffic. It's working fine, i have used it on many machines.
  Now, if you want to trunk the throughput of your interfaces (for inbound and outbound traffic), you need to acquire sun trunking software. It can truncate up to 8 100Mbps interfaces, or up to 2 1Gbps interfaces.

• ESXi 4.1 NIC Teaming's Load-Balancing Algorithm,Nexus 7000 and UCS

  Hi, Cisco Gurus:
  Please help me in answering the following questions (UCSM 1.4(xx), 2 UCS 6140XP, 2 Nexus 7000, M81KR in B200-M2, No Nexus 1000V, using VMware Distributed Switch:
  Q1. For me to configure vPC on a pair of Nexus 7000, do I have to connect Ethernet Uplink from each Cisco Fabric Interconnect to the 2 Nexus 7000 in a bow-tie fashion? If I connect, say 2 10G ports from Fabric Interconnect 1 to 1 Nexus 7000 and similar connection from FInterconnect 2 to the other Nexus 7000, in this case can I still configure vPC or is it a validated design? If it is, what is the pro and con versus having 2 connections from each FInterconnect to 2 separate Nexus 7000?
  Q2. If vPC is to be configured in Nexus 7000, is it COMPULSORY to configure Port Channel for the 2 Fabric Interconnects using UCSM? I believe it is not. But what is the pro and con of HAVING NO Port Channel within UCS versus HAVING Port Channel when vPC is concerned?
  Q3. if vPC is to be configured in Nexus 7000, I understand there is a limitation on confining to ONLY 1 vSphere NIC Teaming's Load-Balancing Algorithm i.e. Route Based on IP Hash. Is it correct?
  Again, what is the pro and con here with regard to application behaviours when Layer 2 or 3 is concerned? Or what is the BEST PRACTICES?
  I would really appreciate if someone can help me clear these lingering doubts of mine.
  God Bless.
  SiM

  Sim,
  Here are my thoughts without a 1000v in place,
  Q1. For me to configure vPC on a pair of Nexus 7000, do I have to connect Ethernet Uplink from each Cisco Fabric Interconnect to the 2 Nexus 7000 in a bow-tie fashion? If I connect, say 2 10G ports from Fabric Interconnect 1 to 1 Nexus 7000 and similar connection from FInterconnect 2 to the other Nexus 7000, in this case can I still configure vPC or is it a validated design? If it is, what is the pro and con versus having 2 connections from each FInterconnect to 2 separate Nexus 7000?   //Yes, for vPC to UCS the best practice is to bowtie uplink to (2) 7K or 5Ks.
  Q2. If vPC is to be configured in Nexus 7000, is it COMPULSORY to configure Port Channel for the 2 Fabric Interconnects using UCSM? I believe it is not. But what is the pro and con of HAVING NO Port Channel within UCS versus HAVING Port Channel when vPC is concerned? //The port channel will be configured on both the UCSM and the 7K. The pro of a port channel would be both bandwidth and redundancy. vPC would be prefered.
  Q3. if vPC is to be configured in Nexus 7000, I understand there is a limitation on confining to ONLY 1 vSphere NIC Teaming's Load-Balancing Algorithm i.e. Route Based on IP Hash. Is it correct? //Without the 1000v, I always tend to leave to dvSwitch load balence behavior at the default of "route by portID". 
  Again, what is the pro and con here with regard to application behaviours when Layer 2 or 3 is concerned? Or what is the BEST PRACTICES? UCS can perform L2 but Northbound should be performing L3.
  Cheers,
  David Jarzynka

• Load Balancing and NIC Teaming

  Hi! i have been looking through lots of links and none of them actually can fully answer my queries.
  I am to do a writeup on load balancing and NIC Teaming, is there any1 that knows what are the commonly used load balancing and NIC Teaming methods, when to use each method, and the advantages and disadvantages of each method and the configuration for each
  method!
  Sorry its lots of questions but i have to do a detailed writeup!
  Many thanks in advance :D

  HI
  NIC Teaming - On a single server, you will have mutiple NIC. You can Team the NIC so that both NIC will act togather to provide better bandwidth and High avaliblity.
  Example : NIC 1 - 1 GB and NIC -2 1 GB so in Team it can act a 2 GB single NIC, If one fails speed will be reduced but it will have HA
  Loadbalancing : Two servers hosting same content:
  Example : Microsoft.com can be hosted in two or even more servers and a loadbalancer will be used to split load to each server based of the current load and traffic.
  No disadvantages

• Hyper-V NIC Team Load Balancing Algorithm: TranportPorts vs Hyper-VPorts

  Hi, 
  I'm going to need to configure a NIC team for the LAN traffic for a Hyper-V 2012 R2 environment. What is the recommended load balancing algorithm? 
  Some background:
  - The NIC team will deal with LAN traffic (NOT iSCSI storage traffic)
  - I'll set up a converged network. So there'll be a virtual switch on top of this team, which will have vNICs configured for each cluster, live migration and management
  - I'll implement QOS at the virtual switch level (using option -DefaultFlowMinimumBandwidthWeight) and at the vNIC level (using option -MinimumBandwidthWeight)
  - The CSV is set up on an Equallogics cluster. I know that this team is for the LAN so it has nothing to do with the SAN, but this reference will become clear in the next paragraph. 
  Here's where it gets a little confusing. I've checked some of the Equallogics documentation to ensure this environment complies with their requirements as far as storage networking is concerned. However, as part of their presentation the Dell publication
  TR1098-4, recommends creating the LAN NIC team with the TrasportPorts Load Balancing Algorithm. However, in some of the Microsoft resources (i.e. http://technet.microsoft.com/en-us/library/dn550728.aspx), the recommended load balancing algorithm is HyperVPorts.
  Just to add to the confusion, in this Microsoft TechEd presentation, http://www.youtube.com/watch?v=ed7HThAvp7o, the recommendation (at around minute 8:06) is to use dynamic ports algorithm mode. So obviously there are many ways to do this, but which one is
  correct? I spoke with Equallogics support and the rep said that their documentation recommends TransportPorts LB algorithm because that's what they've tested and works. I'm wondering what the response from a Hyper-V expert would be to this question. Anyway,
  any input on this last point would be appreciated.

  Gleb,
  >>See Windows Server 2012 R2 NIC Teaming (LBFO) Deployment and Management  for more
  info
  Thanks for this reference. It seems that I have an older version of this document where there's absolutely
  no mention of the dynamic LBA. Hence my confusion when in the Microsoft TechEd presentation the
  recommendation was to use Dynamic. I almost implemented this environment with switch dependent and Address Hash Distribution because, based on the older version of the document, this combination offered: 
  a) Native teaming for maximum performance and switch diversity is not required; or
  b) Teaming under the Hyper-V switch when an individual VM needs to be able to transmit at rates in excess of what one team member can deliver
  The new version of the document recommends Dynamic over the other two LBA. The analogy that the document
  makes of TCP flows with human speech was really helpful for me to understand what this algorithm is doing. For those who will never read the document, I'm referring to this: 
  "The outbound loads in this mode are dynamically balanced based on the concept of
  flowlets.  Just as human speech has natural breaks at the ends of words and sentences, TCP flows (TCP communication streams) also have naturally
  occurring breaks.  The portion of a TCP flow between two such breaks is referred to as a flowlet.  When the dynamic mode algorithm detects that a flowlet boundary has been encountered, i.e., a break of sufficient length has occurred in the TCP flow,
  the algorithm will opportunistically rebalance the flow to another team member if apropriate.  The algorithm may also periodically rebalance flows that do not contain any flowlets if circumstances require it.    As a result the affinity
  between TCP flow and team member can change at any time as the dynamic balancing algorithm works to balance the workload of the team members. "
  Anyway, this post made my week. You sir are deserving of a beer!

• Switch-independent load-balancing NIC teaming on server-side and MAC/ARP flapping on L2/L3 switches

  Since active deployment of Windows Server 2012, our servers support team began to utilize new feature - switch-independent load-balancing NIC teaming. At first look it seems great - no additional network configuration is required and load balancing is performed by server itself by sending frames in round-robin or some hash algorithm out from different NICs (say two for simplicity) but with same MAC address. Theoretical bandwith is now grown up to 2Gbps (if we have two 1G NICs per server) against failover NIC teaming configuration, when one of two adapters is always down.
  But how does this affect (if does) switching and routing performance of network equipment? From point of view of L2 switch - it has to rewrite its CAM table each time a server sends frame from different NIC. Isn't it expensive operation? Won't it affect switching in a bad way? We see in our logs that same server make switches to change mac-to-port associations several times per second.
  Well, and how does it affect routing, if the switch to which server is connected is L3 switch an performs routing for the subnet server connected to? Will CEF operate well if ARP entry chages several times per second?
  Thank you.

  Since nobody answered here, we created service request and got the following answer (in short):
  L2 MAC flapping between ports is very bad and you must avoid such configurations as much as possible. There is one possible variant that can be considered in your situation - use port-channel (either L2 or L3), in this configuration port-channel will be treted as single port and there won't be flapping.
  Conversation example is here: https://ramazancan.wordpress.com/tag/best-practice/

• Nic teaming - what is dynamic load balancing

  When set up nic teaming in Windows  2012 I have the option of selecting "Address Hash", "Hyper-V Port", or "Dynamic" for the load balancing mode. The technet documentation explains "Address Hash" and "Hyper-V
  Port" but there is nothing about "Dynamic". Is there anywhere I can find a description of what the "Dynamic" option provides?

  Microsoft's official recommendation is to use Dynamic load balancing in most configurations.
  Section 3.3 of
  the NIC Teaming Deployment Guide explains what Dynamic is.  Section 3.4 suggests when to use Dynamic load balancing, and when to use other modes.
  I suggest reading the Guide from start to finish.  I learn new things every time I look at it.

• How can I support a health check, from a load balancer?

  My company has load balancers which use health checks to determine if the end point is available for client traffic. The basic health check is a tcp ping, and will tell you if the device is on the network. The next level of health check is an http request. This request, and the response are static, you can’t create your own version of the request and response. The standard request is this:
       http://host:port/healthcheck/hc.html
  The standard response is this:
       “The server is available”
  I want to use the load balancer as part of my total deployment. The problem is that I am not seeing how to support this health check request and response in the MDEX engine. What I see is this request
       http://host:port/admin?op=ping
  Will return this response
       dgraph <host>: <port> responding at <day month year time>
  It is nice that there is a built in ping, but I am not able to make use of it. I am new to Endeca and still poking around. The dgraph process listens on a port set up in <…>/config/script/AppContext.xml
  <dgraph id="Dgraph1" host-id="MDEXHost" port="3281">
  <properties>
  <property name="restartGroup" value="A" />
  <property name="updateGroup" value="a" />
  </properties>
  <log-dir>./logs/dgraphs/Dgraph1</log-dir>
  <input-dir>./data/dgraphs/Dgraph1/dgraph_input</input-dir>
  <update-dir>./data/dgraphs/Dgraph1/dgraph_input/updates</update-dir>
  </dgraph>
  (I am not using the default port, as I only have an instance on a shared server and have to worry about port clashing. But that is a different thread.)
  In a standard tc Server install I can support this health check by doing this:
  * Create a directory named “healthcheck”, in the “webapps” directory.
  * Place a file name “hc.html” in that directory, which contains “The server is available”
  The one hack which comes to mind is to write a servlet which would be able to be a smart proxy for the load balancer health check. It would pass along any regular traffic to the MDEX engine. But if the request was a health check it would send “admin?op=ping” to the MDEX engine, and for a good response from the engine, create and pass back the correct response to the load balancer.
  Ideas, comments, flames, …
  Thanks

  Hi, we are using following String to test the MDEX ping response but we get the invalid version formation on dgraph.log -
  following is on F5
  GET /admin?op=ping HTTP/1.1/r/nHost:myhost.endeca.com:19000/r/nConnection:close/r/n/r/n
  Following gets logged on Dgraph.log
  WARN 09/05/12 05:30:03.799 UTC (1346823003799) DGRAPH {dgraph} Invalid version format in 'HTTP/1.1/r/nHost:myhost.endeca.com:19000/r/nConnection:close/r/n/r/n'
  Please let me know - if you have any suggestions to solve this issue.
  I know that it works from browser and wget from unix with following commands.
  wget http://myhost.endeca.com:19000/admin?op=ping - from unix command line
  from browser:
  http://myhost.endeca.com:19000/admin?op=ping
  Thanks,
  Ram

• Enable External Load Balancing error

  Hello,
  I'm trying to create a DirectAccess farm with 2 external Load balancers (Step 3.1.1 http://technet.microsoft.com/en-us/library/jj134166.aspx)
  The first server is configured (Behind a Edge with 2 NICs) and working but when trying to enable External Load Balancing, I immediately receive this error when applying the settings:
  Initializing operations before applying configuration
   Backing up GPOs...
  Updating cluster settings
   Retrieving server GPO details...
   Opening the server GPO...
   Error: The configuration data for this product is corrupt. Contact your support personnel.
  Finishing operations after applying configuration
   Information: Attempting to roll back the configuration...
  The DirectAccess dashboard shows that all services are fine, the DC is available and no errors are logged in the Event Viewer.
  I can't find any explanation about a possible corrupted configuration.

  Ok... Found the problem... You can't mix Internet IP and LAN IP to create the VIP...

• Network Load Balancing not failing over properly

  I have 2 MS 2012 servers setup in a NLB unicast configuration, with 2 NICs each on the same subnet.  When I take down the second server (and only the second server) the FQDN goes offline.  Below are the ipconfigs for each server.  Any help
  would be greatly appreciated!
  Ethernet adapter Data NIC 192.168.220.172:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Intel(R) I350 Gigabit Network
  #4
     Physical Address. . . . . . . . . : 6C-3B-E5-B2-48-60
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 192.168.220.172(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : 192.168.220.1
     DNS Servers . . . . . . . . . . . : 192.168.220.100
                                         192.168.200.10
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Ethernet adapter Cluster NIC:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Broadcom BCM57810 NetXtreme II
  DIS VBD Client) #67
     Physical Address. . . . . . . . . : 02-BF-C0-A8-DC-AA
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 192.168.220.171(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     IPv4 Address. . . . . . . . . . . : 192.168.220.170(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : 192.168.220.1
     DNS Servers . . . . . . . . . . . : 192.168.220.100
                                         192.168.200.10
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Ethernet adapter Data NIC 192.168.220.174:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : HP FlexFabric 10Gb 2-port 533FLR-
  r #54
     Physical Address. . . . . . . . . : A0-D3-C1-F6-96-08
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 192.168.220.174(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : 192.168.220.1
     DNS Servers . . . . . . . . . . . : 192.168.220.100
                                         192.168.200.10
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Ethernet adapter Cluster NIC:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : HP NC523SFP 10Gb 2-port Server Ad
     Physical Address. . . . . . . . . : 02-BF-C0-A8-DC-AA
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 192.168.220.173(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     IPv4 Address. . . . . . . . . . . : 192.168.220.170(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : 192.168.220.1
     DNS Servers . . . . . . . . . . . : 192.168.220.100
                                         192.168.200.10
     NetBIOS over Tcpip. . . . . . . . : Enabled

  Hi MS DEF,
  A second network adapter is required to provide peer-to-peer communication between cluster hosts. Please isolate your heartbeat network. With unicast when cluster is connected
  to a switch, incoming packets are sent to all the ports on the switch, which can cause switch flooding, please confirm you have setup your switch correct, you can refer the following Cisco Switch related unicast configuration.
  The Cisco switch unicast related information:
  How to configure Microsoft Network Load Balancing on two switches
  https://supportforums.cisco.com/discussion/11918276/how-configure-microsoft-network-load-balancing-two-switches
  More information:
  Selecting the Unicast or Multicast Method of Distributing Incoming Requests
  http://technet.microsoft.com/en-us/library/cc782694(v=ws.10).aspx
  An Optimal Network Load Balancing (NLB) Configuration
  http://blogs.technet.com/b/clint_huffman/archive/2007/10/08/an-optimal-network-load-balancing-nlb-configuration.aspx
  Selecting the Unicast or Multicast Method of Distributing Incoming Requests
  http://technet.microsoft.com/en-us/library/cc782694(v=ws.10).aspx
  I’m glad to be of help to you!
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• CSS11503 load balancing virtual server IP's

  Hi CSS experts,
  We have a Cisco Content Services Switch 11503 Load Balancer which seems to require Real Server NICs to be plugged in. When I plug a cable from our Cisco 3560 switch into the Cisco Load Balancer, it can't see the 2 web server IP's that I'm trying to load balance for HTTP/HTTPS. The virtual IP does not display the webpage of either web servers.
  On the otherhand, when I use two physically separate 1U web servers and physically plug 2 cables (1 for each server) into the CSS 8 port switch, the virtual IP is able to redirect the traffic to both web servers.
  How do I configure the CSS to load balance and actually see 2 IP's on the network which isn't plugged in physically per server into the CSS 8 port switch.
  Internet->CSS->1 cable plugged into Cisco switch which host 2 web servers.
  Thanks,
  Mike
  Configuration:
  circuit VLAN1
  ip address 192.168.1.10 255.255.255.0
  service Websrv1
  ip address 192.168.1.104
  protocol tcp
  port 80
  keepalive type http non-persistent
  active
  service Websrv1SSL
  ip address 192.168.1.104
  protocol tcp
  port 443
  keepalive type ssl
  active
  service Websrv2
  ip address 192.168.1.101
  protocol tcp
  port 80
  keepalive type http non-persistent
  active
  service Websrv2SSL
  ip address 192.168.1.101
  protocol tcp
  port 443
  keepalive type ssl
  active
  owner Web
  content NG
  add service Websrv1
  add service Websrv2
  vip address 192.168.1.7
  port 80
  protocol tcp
  advanced-balance arrowpoint-cookie
  url "/*"
  active
  content NGSSL
  add service Websrv1SSL
  add service Websrv2SSL
  vip address 192.168.1.7
  port 443
  protocol tcp
  advanced-balance sticky-srcip
  sticky-inact-timeout 60
  active

  I checked the connectivity to the servers form the CSS and it was good. I was able to ping, and the connection status in sh service summary incremented by 1 each time I tried to connect. From the server, I was able to ping back to the IP of the CSS and the VIP address as well. I have tried using only 1 server for 1 VIP. I have tried changing the default gateway on the server to the IP of the CSS and the VIP IP as well. It still doesn't seem to help. Anymore suggestions for me to try?
  Thanks
  Mike

• ASA 5520 VPN load balancing with Active/Standby failover on 2 devices only...

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  This topic has been beat to death, but I did not see a real answer. Here is configuration:
  1) 2 x ASA 5520, running 8.2
  2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces
  3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration.
  4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?
  This sounds trivial, but I cannot find a clear answer (without testing this); and many people are confusing the issue. Here are some examples of confusion. These do not apply to my scenario.
  Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not
  The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?
  In any case, any experts out there that can answer question? TIA!

  Wow, some good info posted here (both questions and some answers). I'm in a similar situation with a couple of vpn load-balanced pairs... my goal was to get active-standby failover up and running in each pair- then I ran into this thread and saw the first post about the unique IP addr pools (and obviously we can't have unique pools in an active-standby failover rig where the complete config is replicated). So it would seem that these two features are indeed mutually exclusive. Real nice initial post to call this out.
  Now I'm wondering if the ASA could actually handle a single addr pool in an active-standby fo rig- *if* the code supported the exchange of addr pool status between the fo members (so they each would know what addrs have been farmed out from this single pool)? Can I get some feedback from folks on this? If this is viable, then I suppose we could submit a feature request to Cisco... not that this would necessarily be supported anytime soon, but it might be worth a try. And I'm also assuming we might need a vip on the inside int as well (not just on the outside), to properly flip the traffic on both sides if the failover occurs (note we're not currently doing this).
  Finally, if a member fails in a std load-balanced vpn pair (w/o fo disabled), the remaining member must take over traffic hitting the vip addr (full time)... can someone tell me how this works? And when this pair is working normally (with both members up), do the two systems coordinate who owns the vip at any time to load-balance the traffic? Is this basically how their load-balancing scheme works?
  Anyway, pretty cool thread... would really appreciate it if folks could give some feedback on some of the above.
  Thanks much,
  Mike

• Load Balancing question

  My company is in the process of building a small scale network architecture strictly for testing purposes. We have a DMZ area that contains 2 load balancers and 1 web server. The web server is a SunFire 280 and has two gig e nics. They want to cable one nic to one load balancer and one nic to the other. Since this is only one box we have to put the nics on separate subnets. The question is, can I configure the load balancers in a failover situation of an active active situation with one load balancer on one vlan and another load balancer on a separate vlan.

  I did not able to understand why you want to give ip to two NICs from different subnets.
  There is NO any requirement, like that. If you have your own requirement can you explain me that?
  Ashman