VPN load balance

Similar Messages

• Having an issue with vpn load balancing certificate on the vip

                     Hi all,
  I am setting up vpn load balancing in a lab. I have two asa's running 8.6. I created a ucc cert from our internal CA  that has the vip as the CN in the cert and the two ASA's themselves as subject alternative names. I used open ssl to create the request. In each asa I am using encryption between the ASA's to encrypt the psk's. Since this is a lab and I do not have the DNS servers at my disposal I've added the hostnames and addresses of each ASA to the config in the ASA's. The problem I have is that when I connect to the vip I get a cert error saying the cert doesn't match the name on the site. See below:
  "The security certificate presented by this website was issued for a different website's address."
  I have a hostfile on my lab pc connected directly to the outside of the ASA that can resolve the name of the vip but when I browse to the vip I get the cert error. If I click proceed anyway the asa redirects me and the page opens without error on one of the two ASA's.
  Does any one know what the CN of the cert should be for vpn load balancing. I thought the CN would be the vip but sometinhg is not right.
  Any help is appreciated.
  Thanks.

  Issue resolved. Switched the order of the trustpoints on the outside and vpn load balance.

• VPN load balancing and ASA !!!

  Hi netpros,
  I have a couple of questions about this and hope you might be able to assist me.
  1.- Are VPN load balancing and failover (Active/Active) mutually exclusive ..? I mean they can't be used at the same time correct ..?
  2.- How does the ASA handle the return traffic from the Internal LAN towards the remote client .. Because the cluster only requires ONE public virtual IP address, which will work for incoming packets .. but what about the return traffic which has knowledge of the DHCP scope's default gateway IP address only .. ? How gets the returned packet redirected from the default gateway IP address to the respective ASA internal IP address .?
  3.- VPN load balancing only applies to remote clients using easy VPN technology (easy vpn client, hardware client , pIX using easy vpn client etc ) and does not work with static LAN-LAN tunnel .. correct ..?
  Your comments are much appreciated

  Hi Gilbert ..
  1.- Thanks I wanted to make sure.
  2.- I know that .. my question is in regards the return packets .. for example if I have the below IP schema:
  ASA1: Public 20.20.20.20
  Private 192.168.1.1
  ASA2: Public 20.20.20.21
  Private 192.168.1.2
  Cluster virutal IP: 20.20.20.10
  Default gateway for segment 192.168.1.0 is 192.168.1.1
  Let's say that a vpn client tries to connect and the cluster instructs the client to connect to ASA2 20.20.20.21. The packets reach the internal server at 192.168.1.100. The internal server then sends the return packets back to the client by forwarding them to its default gateway which is 192.168.1.1 (ASA1). Here is my question .. how does the cluster handles this because the return packet are supposed to be directed to ASA2 192.168.1.2
  3.- Any idea about this one ..?
  Cheers,

• ASA 5520 VPN load balancing with Active/Standby failover on 2 devices only...

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  This topic has been beat to death, but I did not see a real answer. Here is configuration:
  1) 2 x ASA 5520, running 8.2
  2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces
  3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration.
  4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?
  This sounds trivial, but I cannot find a clear answer (without testing this); and many people are confusing the issue. Here are some examples of confusion. These do not apply to my scenario.
  Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not
  The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?
  In any case, any experts out there that can answer question? TIA!

  Wow, some good info posted here (both questions and some answers). I'm in a similar situation with a couple of vpn load-balanced pairs... my goal was to get active-standby failover up and running in each pair- then I ran into this thread and saw the first post about the unique IP addr pools (and obviously we can't have unique pools in an active-standby failover rig where the complete config is replicated). So it would seem that these two features are indeed mutually exclusive. Real nice initial post to call this out.
  Now I'm wondering if the ASA could actually handle a single addr pool in an active-standby fo rig- *if* the code supported the exchange of addr pool status between the fo members (so they each would know what addrs have been farmed out from this single pool)? Can I get some feedback from folks on this? If this is viable, then I suppose we could submit a feature request to Cisco... not that this would necessarily be supported anytime soon, but it might be worth a try. And I'm also assuming we might need a vip on the inside int as well (not just on the outside), to properly flip the traffic on both sides if the failover occurs (note we're not currently doing this).
  Finally, if a member fails in a std load-balanced vpn pair (w/o fo disabled), the remaining member must take over traffic hitting the vip addr (full time)... can someone tell me how this works? And when this pair is working normally (with both members up), do the two systems coordinate who owns the vip at any time to load-balance the traffic? Is this basically how their load-balancing scheme works?
  Anyway, pretty cool thread... would really appreciate it if folks could give some feedback on some of the above.
  Thanks much,
  Mike

• ASA Vpn load balancing and failover

  Hello all.
  We have two asa5520 configured as primary and standby unit in failover configuration, and all is working properly.
  Is it possible, with this configuration (failover), to configure vpn load balancing/clustering?
  Thanks
  Daniele

  Hi Wajih,
  I am testing this right now. In my case, I want A and B are failover pairs with A as the primary, (A+B) together as one member in cluster with other ASAs C and D. Here is what I found out:
  1, After the active/standby working, configure the load banlancing in the master, the cluster IP worked.
  2, after "no fail ac" in A, cluster IP stopped working. Seems the vpn load banlance configuration wasn't copied over to the standby B.
  3, In the active (now it's the secondary B), manually configure vpn load banlancing, then the cluster IP worked.
  4, "no fail ac" in the B and make the the primary A active, the cluster IP still worked.
  5, after "no fail ac" in A, cluster IP stopped working. show vpn load and found out the load banlance was disabled.
  6, "no fail ac" in the B and make the the primary A active, the cluster IP then worked.
  Based on above, the secondary B's VPN load banlance will be disabled when B becomes active in failover role. If that's true, these two features can't work together. Or maybe there is some configuration I'm missing -- maybe having C or D as the cluster master will help. The ASAs are 5510 with 8.4(2)
  Thanks,
  Rick.

• ASA and vpn load balancing

  Hi,
  I am configuring 2 ASA5540 for internet trafic inside to outside ,
  outside to inside (web,smtp) but also vpn load balancing for client to site , site to site and webvpn.
  In the doc I can configure them for internet trafic as Active/Standby or Active/active.
  for vpn : I can use vpn load balancing
  But no information if I want to use the active/passif and vpn load balancing together.
  Any thoughts on which way to go? what is the best thing to do ?
  Regards

  Hi,
  I think that you cannot use an Active/Active configuration for VPN connections as it is stated on Cisco's documentation: "Note: VPN failover is not supported on units that run in multiple context mode as VPN is not supported in multiple context. VPN failover is available only for Active/Standby Failover configurations in single context configurations" available at http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
  Hope it helps

• VPN load balancing not working correctly

  I have two vpn3030s configured for load balancing. They appear to recognize one another as the correct vpn(priority 10) appears to be the master. The slave however keeps getting an error message i the log "LBSSF master peer[205.172.49.252] is not answering HELLO".
  He appears to timeout the master and switch himself to master where he immediately sees the master and goes back to slave. I am not sure the address above is correct for the error message, 205.172.49.252 is the virtual IP shared by both concentrators. I would expect to see hellos sent and received between the two physical interfaces. Any ideas? I am getting a buffer error on the master as well so all this may be memory related. Not sure at this point.
  Johnny

  it may be due to IP conflict.
  also check this bug-id:CSCds70213.
  Try these links for more info:
  http://www.cisco.com/warp/public/471/vpn3k-conn.html
  http://www.cisco.com/warp/public/471/ld_bl_vpn3000_7602.html

• 2 x 2911 HSEC router 3 ADSL connections each Site ti Site VPN Load Balancing Failover

  Hello,
  My senario is as described in Title.
  Site A Headquarters. The router is Cisco 2911HSEC with 3 ADSL connections
  Site B Remote Office. The router is Cisco 2911HSEC with 3 ADSL connections and 10 Users.
  All ADSL connections have static IPs and belong to same ISP.
  Need - Site to Site VPN between the routers.
  Client requests to load balance the traffic, due to poor ADSL speed and have a failover senarion in case an ADSL line goes down.
  Any help will be appreciated.

  I don't believe you will find a One solution for this. 
  An idea would be to have all three ADSLs paired with ADSL on the other side. 
  Have 3 VTI (or GRE) tunnels up all the time (VRF-lite anybody?) and advertise routes to the other side with same metric. 
  This will cause IOS to load balance natively. 
  Potential problem: return path might not be the same as forward path, but it should not matter much for most applications. 
  Potential cool thing you can do: All the "magical" things in routing world (Did I head PfR?). FlexVPN on top to make it more flexible. 
  Benefit: Rely on IKE to bring down connections which are going down. Little-to-no management once it's up and running. 

• RV082 VPN Load Balance

  I've got a remote site with two separate 5 Mbps MAN connections.  I'm only using one of the connections and the other is a manual "swap the cable" backup.  I need a VPN between sites.  Could I setup two RV082 devices with a VPN on each WAN port and use load balancing as well?

  Hello,
  I believe what you are describing is possible.  The RV082 does support a backup remote and local WAN/IP for a site-to-site tunnel, the option is mentioned on page 137 of the Administration Guide.  As for the load balancing that would depend.  I don't think you could have two tunnels carrying the same traffic at the same time, because I don't think there is a load balancing method built in for that sort of setup on the RV082.  However you could sort of manually load balance the VPN tunnels by sending different VLANs over different WAN ports.  You can load balance normal internet traffic between two WANs, so they could both be active at once, the protocol binding options just don't apply for VPN traffic, since it has it's own failover mechanisms.
  You would have a better backup then a "swap the cable" manual option, since the tunnel would just failover between the four WANs as needed when DPD detected a failure, it just wouldn't use them all at the same time for the same traffic without same manual tweaking.
  Hope that all makes sense,
  Christopher Ebert - Advanced Network Support Engineer
  Cisco Small Business Support Center
  *please rate helpful posts*

• VPN device with dual ISP, fail-over, and load balancing

  We currently service a client that has a PIX firewall that connects to multiple, separate outside vendors via IPSEC VPN. The VPN connections are mission critical and if for any reason the VPN device or the internet connection (currently only a T1) goes down, the business goes down too. We're looking for a solution that allows dual-ISP, failover, and load balancing. I see that there are several ASA models as well as the IOS that support this but what I'm confused about is what are the requirements for the other end of the VPN, keeping in mind that the other end will always be an outside vendor and out of our control. Current VPN endpoints for outside vendors are to devices like VPN 3000 Concentrator, Sonicwall, etc. that likely do not support any type of fail-over, trunking, load-balancing. Is this just not possible?

  Unless I am mistaken the ASA doesn't do VPN Load Balancing for point-to-point IPSec connections either. What you're really after is opportunistic connection failover, and/or something like DMVPN. Coordinating opportunistic failover shouldn't be too much of an issue with the partners, but be prepared for lot of questions.

• Best way to load balance VPNs

  I have two ASA 5540s that I would like to configure for VPN load balancing. I had been looking at the Active / Standby configurations, but am curious if doing this I can truly get VPN load balancing or if this means all VPNs on the active unit and then when a failure happens all VPNs go over to the standby unit. This isn't what I want.
  I have found some documents that talk about setting up a cluster. But I think these documents are telling me not to configure the two ASAs as a active / standby failover pair. Does that make sense?
  Anyway - what is the best way to accomplish VPN load balancing? In our setup these ASAs will only be handling VPNs (no firewalling will be done here).

  An active/standby failover pair configuration will provide for resiliency in the event of a hardware or software failure. One ASA is "Active" while the other is in a "Standby" mode. Config and state information is synchronized between the two devices. Only one ASA services client connections at any given time.
  Load balancing, on the other hand, allows you to configure a "cluster" with multiple participants. Each participating ASA can service client connections thus sharing the load. The following doc gives a good overview of load balancing and provides sample configurations.
  http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpnsysop.html#wp1048959

• Question on how does load balancing work on Firewall Services Module (FWSM)

  Hi everyone,
  I have a question about the algorithm of load balancing on Firewall Services Module (FWSM).
  I understand that the FWSM supports up to three equal cost routes on the same interface for load balancing.
  Please see a lower simple figure.
  outside inside
  --- L3 SW --+
  |
  MHSRP +--- FWSM ----
  |
  --- L3 SW --+
  I am going to configure the following default routes on FWSM point to each MHSRP VIP (192.168.13.29 and 192.168.13.30) for load balancing.
  route outside_1 0.0.0.0 0.0.0.0 192.168.13.29 1
  route outside_1 0.0.0.0 0.0.0.0 192.168.13.30 1　　　　　　
  However I don't know how load balancing work on FWSM.
  On FWSM, load balancing work based on
  Per-Destination ?
  Per-Source ?
  Per-Packet ?
  or
  Other criteria ?
  Your information would be greatly appreciated.
  Best Regards,

  Configuring "tunnel default gateway' on the concentrator allowed traffic to flow as desired through the FWSM.
  FWSM is not capable of performing policy based routing, the additional static routes for the VPN load balancing caused half of the packets to be lost. As a result, it appears that the VPN concentrators will not be able to load balance.

• ASA Load-Balancing intriguing question

  I have a setup where the inside interface may be in the same private subnet, but the outside interfaces, are most likely in different public subnets.
  For example. inside on both ASA: 192.168.1.1 and 192.168.1.2 /24 and the public connected even to two different ISPs.
  My guess is that I would probably lose the possibility for failover of the master for load-balancing, in case this ASA goes down, but nevertheless, I would be still interested in that users connect to the same public ip, and that the master gives the fqdn of the other ASA, and balance their Anyconnect entry into the network between both ASAs. Does this works this way?
  I mean, does this vpn load-balance feature talks only accross the inside network, or it needs to have same outside subnet mask? Is it a trick of the mask in the interface? 
  If not, is there a way around that? like this, if use a bogus outside interface and tunnel it somehow to the other outside in the other ASA, will still the offering of fqdn be on, so that the client connects to the other "real" public IP? 

  you cant route based on source ip with firewall only with router possiable by PBR
  you can make to static routes each one point to deffrent router with deffrent metric
  in this case it will make the topology like active standby which not good in your case
  but you can use sub interfaces on your ASA intis case make each subinterface in deffrent subnet and deffrent security level
  and let each subinterface use deffrent hsrp instance
  or there is another way
  IF you dont use VPN on your ASA u can achive it by useing multiple context
  in multiple context you gonna separate your firewall virtualy
  so if you have two vlans in your inside network (two deffrent subnets)
  then each subnet will use deffrent firewall virtually
  u goona divide the internal interface to two subinterfaces
  and you can use one outside interface shred between the context or also separate it to two subinterfaces
  and allocate those interface to each context
  so you gonna deal with each context as deffrent firewall
  and you can use deffrent HSRP instance on each context
  but with multiple context you cant use VPN on the firewall
  *****use the following method*****
  THE OTHER WAY WHICH ALSO I SUGIST YOU TO TRY IT WHICH IS THE Transparent Firewall
  in the case your firewall will operate in L2 mode
  so you can use the routers HSRP IPS AS there is no firewall in the path
  which i thnk helpful in you case aslo
  in transperante mode the defaultgate way for your client will be the hsrp IP because the firewall will not have any IPs exept for managment
  also the useres will be in the same IP subnet as the gateway in your case HSRP VIP
  and also you can control the network security through the firewall normally
  try this way and let me know
  see the following link for configuration
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml
  please, Rate if helpful

• Load-balancing nat-t connections to VPN concentrators

  I'm currently using a CSS to provide redundancy across some nat-t VPN RAS sessions to some VPN concentrators (in different geographical areas) This works fine, but because I have to create content rules for both UDP 500 and UDP 4500 traffic, I'm concenred that if I move to a genuine load-balanced arrangement instead of merely redundancy, the CSS units might decide to direct UDP500 traffic from a remote user to one concentrator, and the subsequent UDP4500 traffic to another. I tried port ranges and a single content rule - no success. Does anyone know how to associate 2 udp content rules to enforce traffic symmetry, or will a default srcip balancing rule see the concentrator balance traffic based on srcip globally across all content rules?

  if you do balance srcip, the CSS will use a hash and this hash function should be the same for all the content rules, so giving you the same results.
  A single layer3 content rule with advanced-balance sitcky-srcip should work as well.
  Regards,
  Gilles.

• Load balancing Internet and Site to Site VPN's across Multiple ISP.

  Hi Everyone,
  We  are currently connected to a single ISP with different Internet related  services like mail, web, dns and IPSEC site to site VPN's running. We  would be adding another ISP and do load balancing across these multiple  links. We are using Cisco ASA firewall.
  Can anyone suggest a load  balancer which can not only provide load balancing of the links but  failover as well for mail,web and IPSEC Site to Site VPN's. I came  across Peplink that can achieve this but I guess I will have to  decommision our ASA in order to install Peplink.
  Check attached diagram, this will be our proposed design.
  Regards

  Hi Sundeep,
  The simplest solution would be to put an IOS router (or two with HSRP) between the ASA and the ISPs and do policy-based routing for your flows between the 2 ISPs. Otherwise, any load balancer should work fine with the ASA. If failover of the load balancer is a requirement, you'll need to look at product specific documentation for whichever solution you choose.
  -Mike