RV082 Load Balance VPN

Similar Messages

• Linksys RV082 Load Balancing and VPN

  We have 3 offices connected by VPN and are currently using RV082 routers for the endpoints. The 2 branch offices have service from a small wireless ISP in the area. We have recently brought DSL in to the main office in addition to the wireless ISP. There are about 20 workstations in the main office, and 2-5 in each of the other offices.
  Right now we have the RV082 at the main office configured to use the DSL as the primary service and fail over to the wireless ISP in event of issues with the DSL. What we would like to do now is have load balancing for the main office and have the VPN endpoints run specifically on the wireless ISP (much lower latency than going through the DSL), failing over to the DSL when required. The ideal situation would allow us to specify traffic (ie - web, and email) for a 'preferred' WAN port so that it uses, for example the DSL circuit for email traffic until the DSL circuit goes down, then email traffic is automatically moved over.
  I know that you can set rules in the load balancing configuration of the RV082 to direct traffic out a specific port. When I have configured these in the past for testing, the rules were not removed when the connection failed over, so any traffic that had a rule configured for the failed port stopped working.
  All of the routers are running firmware version 2.0.0.19-tm.
  I'm sorry if this is a scenario that has been addressed before, but I haven't been able to find any answers. If I missed it, please feel free to point me in the right direction. Is it possible to configure the load balancing rules so that they fail over correctly on the RV082? If so, please post steps for me to follow if you can. If this is not possible on the RV082, please make suggestions for which router we should install at the main office to make this scenario work properly.
  Thanks for any help!

  Thank you for the quick response. Perhaps I didn't explain the situation very well in my first post. We are currently using the Smartlink Backup functionality, and it is working correctly.
  We would like to move to the Load Balance mode, because this will allow us to take better advantage of having two providers. The Auto Load Balance works fine except for certain sites, like a banking site. I understand that the way around this is to create a Protocol Binding rule, but is there a way to have Protocol Binding rules termporarily removed or modified in the event of a WAN failure, so that traffic will not get stuck being sent out to a service provider that is down? I have tested the Load Balance feature and created some Protocol Binding rules as a test. For example, I bound all HTTP (port 80) traffic to WAN1, then unplugged WAN1 to simulate an outage. All HTTP traffic stopped working after I unplugged WAN1, but all other traffic seamlessly continued to function as if nothing had changed.
  Thanks!

• Best way to load balance VPNs

  I have two ASA 5540s that I would like to configure for VPN load balancing. I had been looking at the Active / Standby configurations, but am curious if doing this I can truly get VPN load balancing or if this means all VPNs on the active unit and then when a failure happens all VPNs go over to the standby unit. This isn't what I want.
  I have found some documents that talk about setting up a cluster. But I think these documents are telling me not to configure the two ASAs as a active / standby failover pair. Does that make sense?
  Anyway - what is the best way to accomplish VPN load balancing? In our setup these ASAs will only be handling VPNs (no firewalling will be done here).

  An active/standby failover pair configuration will provide for resiliency in the event of a hardware or software failure. One ASA is "Active" while the other is in a "Standby" mode. Config and state information is synchronized between the two devices. Only one ASA services client connections at any given time.
  Load balancing, on the other hand, allows you to configure a "cluster" with multiple participants. Each participating ASA can service client connections thus sharing the load. The following doc gives a good overview of load balancing and provides sample configurations.
  http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpnsysop.html#wp1048959

• ASA 5520 VPN load balancing with Active/Standby failover on 2 devices only...

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  This topic has been beat to death, but I did not see a real answer. Here is configuration:
  1) 2 x ASA 5520, running 8.2
  2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces
  3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration.
  4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?
  This sounds trivial, but I cannot find a clear answer (without testing this); and many people are confusing the issue. Here are some examples of confusion. These do not apply to my scenario.
  Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not
  The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?
  In any case, any experts out there that can answer question? TIA!

  Wow, some good info posted here (both questions and some answers). I'm in a similar situation with a couple of vpn load-balanced pairs... my goal was to get active-standby failover up and running in each pair- then I ran into this thread and saw the first post about the unique IP addr pools (and obviously we can't have unique pools in an active-standby failover rig where the complete config is replicated). So it would seem that these two features are indeed mutually exclusive. Real nice initial post to call this out.
  Now I'm wondering if the ASA could actually handle a single addr pool in an active-standby fo rig- *if* the code supported the exchange of addr pool status between the fo members (so they each would know what addrs have been farmed out from this single pool)? Can I get some feedback from folks on this? If this is viable, then I suppose we could submit a feature request to Cisco... not that this would necessarily be supported anytime soon, but it might be worth a try. And I'm also assuming we might need a vip on the inside int as well (not just on the outside), to properly flip the traffic on both sides if the failover occurs (note we're not currently doing this).
  Finally, if a member fails in a std load-balanced vpn pair (w/o fo disabled), the remaining member must take over traffic hitting the vip addr (full time)... can someone tell me how this works? And when this pair is working normally (with both members up), do the two systems coordinate who owns the vip at any time to load-balance the traffic? Is this basically how their load-balancing scheme works?
  Anyway, pretty cool thread... would really appreciate it if folks could give some feedback on some of the above.
  Thanks much,
  Mike

• RV082 VPN Load Balance

  I've got a remote site with two separate 5 Mbps MAN connections.  I'm only using one of the connections and the other is a manual "swap the cable" backup.  I need a VPN between sites.  Could I setup two RV082 devices with a VPN on each WAN port and use load balancing as well?

  Hello,
  I believe what you are describing is possible.  The RV082 does support a backup remote and local WAN/IP for a site-to-site tunnel, the option is mentioned on page 137 of the Administration Guide.  As for the load balancing that would depend.  I don't think you could have two tunnels carrying the same traffic at the same time, because I don't think there is a load balancing method built in for that sort of setup on the RV082.  However you could sort of manually load balance the VPN tunnels by sending different VLANs over different WAN ports.  You can load balance normal internet traffic between two WANs, so they could both be active at once, the protocol binding options just don't apply for VPN traffic, since it has it's own failover mechanisms.
  You would have a better backup then a "swap the cable" manual option, since the tunnel would just failover between the four WANs as needed when DPD detected a failure, it just wouldn't use them all at the same time for the same traffic without same manual tweaking.
  Hope that all makes sense,
  Christopher Ebert - Advanced Network Support Engineer
  Cisco Small Business Support Center
  *please rate helpful posts*

• RV042 dual VPN connections between locations with load balance

  We currently have three remote offices connected to the main office with gateway to gateway VPN's over DSL lines and everything is working fine. All offices have an RV042 with current firmware. We have added a second DSL line at every location and want to add a second VPN tunnel on WAN2 from the remote offices to the main office and load balance those. Load balance to the internet with the new lines works OK but the issue is that I can't create a second tunnel on WAN2 with the same network addresses as the existing tunnel on WAN1. It seems like this would be a pretty common thing with a dual WAN router but I'm not having much luck figuring it out. Does anybody know of a way to do what we're trying to do?

  Hi,
  WHile all the RV series Routers provide Dual WAN capability:
  http://www.cisco.com/en/US/products/ps9923/products_qanda_item09186a0080a33b64.shtml
  Only thr RV082 allows the backup tunnel.  The implementation on the RV082 is not to  create a new, separate tunnel using the backup WAN. Instead, the VPN GUI exposes an  Advanced tab for the primary tunnel, and you complete the fields in the GUI using the backup WAN IP addresses.   I am pretty sure this is not offered on the RV042.  It wasnt last I check, but check your GUI for the above.  If its not there, then you cant do it.
  Steve DiStefano
  Systems Engineer
  US Field Channel Sales

• Having an issue with vpn load balancing certificate on the vip

                     Hi all,
  I am setting up vpn load balancing in a lab. I have two asa's running 8.6. I created a ucc cert from our internal CA  that has the vip as the CN in the cert and the two ASA's themselves as subject alternative names. I used open ssl to create the request. In each asa I am using encryption between the ASA's to encrypt the psk's. Since this is a lab and I do not have the DNS servers at my disposal I've added the hostnames and addresses of each ASA to the config in the ASA's. The problem I have is that when I connect to the vip I get a cert error saying the cert doesn't match the name on the site. See below:
  "The security certificate presented by this website was issued for a different website's address."
  I have a hostfile on my lab pc connected directly to the outside of the ASA that can resolve the name of the vip but when I browse to the vip I get the cert error. If I click proceed anyway the asa redirects me and the page opens without error on one of the two ASA's.
  Does any one know what the CN of the cert should be for vpn load balancing. I thought the CN would be the vip but sometinhg is not right.
  Any help is appreciated.
  Thanks.

  Issue resolved. Switched the order of the trustpoints on the outside and vpn load balance.

• VPN load balancing and ASA !!!

  Hi netpros,
  I have a couple of questions about this and hope you might be able to assist me.
  1.- Are VPN load balancing and failover (Active/Active) mutually exclusive ..? I mean they can't be used at the same time correct ..?
  2.- How does the ASA handle the return traffic from the Internal LAN towards the remote client .. Because the cluster only requires ONE public virtual IP address, which will work for incoming packets .. but what about the return traffic which has knowledge of the DHCP scope's default gateway IP address only .. ? How gets the returned packet redirected from the default gateway IP address to the respective ASA internal IP address .?
  3.- VPN load balancing only applies to remote clients using easy VPN technology (easy vpn client, hardware client , pIX using easy vpn client etc ) and does not work with static LAN-LAN tunnel .. correct ..?
  Your comments are much appreciated

  Hi Gilbert ..
  1.- Thanks I wanted to make sure.
  2.- I know that .. my question is in regards the return packets .. for example if I have the below IP schema:
  ASA1: Public 20.20.20.20
  Private 192.168.1.1
  ASA2: Public 20.20.20.21
  Private 192.168.1.2
  Cluster virutal IP: 20.20.20.10
  Default gateway for segment 192.168.1.0 is 192.168.1.1
  Let's say that a vpn client tries to connect and the cluster instructs the client to connect to ASA2 20.20.20.21. The packets reach the internal server at 192.168.1.100. The internal server then sends the return packets back to the client by forwarding them to its default gateway which is 192.168.1.1 (ASA1). Here is my question .. how does the cluster handles this because the return packet are supposed to be directed to ASA2 192.168.1.2
  3.- Any idea about this one ..?
  Cheers,

• Load-balancing nat-t connections to VPN concentrators

  I'm currently using a CSS to provide redundancy across some nat-t VPN RAS sessions to some VPN concentrators (in different geographical areas) This works fine, but because I have to create content rules for both UDP 500 and UDP 4500 traffic, I'm concenred that if I move to a genuine load-balanced arrangement instead of merely redundancy, the CSS units might decide to direct UDP500 traffic from a remote user to one concentrator, and the subsequent UDP4500 traffic to another. I tried port ranges and a single content rule - no success. Does anyone know how to associate 2 udp content rules to enforce traffic symmetry, or will a default srcip balancing rule see the concentrator balance traffic based on srcip globally across all content rules?

  if you do balance srcip, the CSS will use a hash and this hash function should be the same for all the content rules, so giving you the same results.
  A single layer3 content rule with advanced-balance sitcky-srcip should work as well.
  Regards,
  Gilles.

• Load balancing Internet and Site to Site VPN's across Multiple ISP.

  Hi Everyone,
  We  are currently connected to a single ISP with different Internet related  services like mail, web, dns and IPSEC site to site VPN's running. We  would be adding another ISP and do load balancing across these multiple  links. We are using Cisco ASA firewall.
  Can anyone suggest a load  balancer which can not only provide load balancing of the links but  failover as well for mail,web and IPSEC Site to Site VPN's. I came  across Peplink that can achieve this but I guess I will have to  decommision our ASA in order to install Peplink.
  Check attached diagram, this will be our proposed design.
  Regards

  Hi Sundeep,
  The simplest solution would be to put an IOS router (or two with HSRP) between the ASA and the ISPs and do policy-based routing for your flows between the 2 ISPs. Otherwise, any load balancer should work fine with the ASA. If failover of the load balancer is a requirement, you'll need to look at product specific documentation for whichever solution you choose.
  -Mike

• VPN load balancing not working correctly

  I have two vpn3030s configured for load balancing. They appear to recognize one another as the correct vpn(priority 10) appears to be the master. The slave however keeps getting an error message i the log "LBSSF master peer[205.172.49.252] is not answering HELLO".
  He appears to timeout the master and switch himself to master where he immediately sees the master and goes back to slave. I am not sure the address above is correct for the error message, 205.172.49.252 is the virtual IP shared by both concentrators. I would expect to see hellos sent and received between the two physical interfaces. Any ideas? I am getting a buffer error on the master as well so all this may be memory related. Not sure at this point.
  Johnny

  it may be due to IP conflict.
  also check this bug-id:CSCds70213.
  Try these links for more info:
  http://www.cisco.com/warp/public/471/vpn3k-conn.html
  http://www.cisco.com/warp/public/471/ld_bl_vpn3000_7602.html

• ASA Vpn load balancing and failover

  Hello all.
  We have two asa5520 configured as primary and standby unit in failover configuration, and all is working properly.
  Is it possible, with this configuration (failover), to configure vpn load balancing/clustering?
  Thanks
  Daniele

  Hi Wajih,
  I am testing this right now. In my case, I want A and B are failover pairs with A as the primary, (A+B) together as one member in cluster with other ASAs C and D. Here is what I found out:
  1, After the active/standby working, configure the load banlancing in the master, the cluster IP worked.
  2, after "no fail ac" in A, cluster IP stopped working. Seems the vpn load banlance configuration wasn't copied over to the standby B.
  3, In the active (now it's the secondary B), manually configure vpn load banlancing, then the cluster IP worked.
  4, "no fail ac" in the B and make the the primary A active, the cluster IP still worked.
  5, after "no fail ac" in A, cluster IP stopped working. show vpn load and found out the load banlance was disabled.
  6, "no fail ac" in the B and make the the primary A active, the cluster IP then worked.
  Based on above, the secondary B's VPN load banlance will be disabled when B becomes active in failover role. If that's true, these two features can't work together. Or maybe there is some configuration I'm missing -- maybe having C or D as the cluster master will help. The ASAs are 5510 with 8.4(2)
  Thanks,
  Rick.

• VPN device with dual ISP, fail-over, and load balancing

  We currently service a client that has a PIX firewall that connects to multiple, separate outside vendors via IPSEC VPN. The VPN connections are mission critical and if for any reason the VPN device or the internet connection (currently only a T1) goes down, the business goes down too. We're looking for a solution that allows dual-ISP, failover, and load balancing. I see that there are several ASA models as well as the IOS that support this but what I'm confused about is what are the requirements for the other end of the VPN, keeping in mind that the other end will always be an outside vendor and out of our control. Current VPN endpoints for outside vendors are to devices like VPN 3000 Concentrator, Sonicwall, etc. that likely do not support any type of fail-over, trunking, load-balancing. Is this just not possible?

  Unless I am mistaken the ASA doesn't do VPN Load Balancing for point-to-point IPSec connections either. What you're really after is opportunistic connection failover, and/or something like DMVPN. Coordinating opportunistic failover shouldn't be too much of an issue with the partners, but be prepared for lot of questions.

• ASA and vpn load balancing

  Hi,
  I am configuring 2 ASA5540 for internet trafic inside to outside ,
  outside to inside (web,smtp) but also vpn load balancing for client to site , site to site and webvpn.
  In the doc I can configure them for internet trafic as Active/Standby or Active/active.
  for vpn : I can use vpn load balancing
  But no information if I want to use the active/passif and vpn load balancing together.
  Any thoughts on which way to go? what is the best thing to do ?
  Regards

  Hi,
  I think that you cannot use an Active/Active configuration for VPN connections as it is stated on Cisco's documentation: "Note: VPN failover is not supported on units that run in multiple context mode as VPN is not supported in multiple context. VPN failover is available only for Active/Standby Failover configurations in single context configurations" available at http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
  Hope it helps

• 2 x 2911 HSEC router 3 ADSL connections each Site ti Site VPN Load Balancing Failover

  Hello,
  My senario is as described in Title.
  Site A Headquarters. The router is Cisco 2911HSEC with 3 ADSL connections
  Site B Remote Office. The router is Cisco 2911HSEC with 3 ADSL connections and 10 Users.
  All ADSL connections have static IPs and belong to same ISP.
  Need - Site to Site VPN between the routers.
  Client requests to load balance the traffic, due to poor ADSL speed and have a failover senarion in case an ADSL line goes down.
  Any help will be appreciated.

  I don't believe you will find a One solution for this. 
  An idea would be to have all three ADSLs paired with ADSL on the other side. 
  Have 3 VTI (or GRE) tunnels up all the time (VRF-lite anybody?) and advertise routes to the other side with same metric. 
  This will cause IOS to load balance natively. 
  Potential problem: return path might not be the same as forward path, but it should not matter much for most applications. 
  Potential cool thing you can do: All the "magical" things in routing world (Did I head PfR?). FlexVPN on top to make it more flexible. 
  Benefit: Rely on IKE to bring down connections which are going down. Little-to-no management once it's up and running.