KB ID 0001114
Cisco VPN:: Load Balancing ASA 5510 Sep 13, 2011. Currently we have deployed site to site vpn between 2 asa 5510 model. One is corporate site and one is remote site. Now we plan to use radware load balancer in which 2 isp will terminate. Now if at a remote site wecreate only 1 ipsec tunnel and mention sigle isp peering. If one isp fails at corporate how remote site will be access by site to. Procedure Step 1. This enters vpn-load-balancing configuration mode, in which you can configure the remaining load-balancing. Configure the IP address or the fully qualified domain name of the group to which this device belongs. Configure the group port. This command specifies the. Cluster Configuration Select Configuration Features VPN Load Balancing, and check Participate in Load Balancing Cluster to enable VPN. Complete these steps to configure the parameters for all ASAs participating in the cluster in the VPN Cluster. Type the IP address of the cluster in the.
Usually when I’m asked to setup Active/Active I cringe, not because its difficult, its simply because people assume active/active is better than active/standby. I hear comments like ‘we have paid for both firewalls lets use them’, or ‘I want to sweat both assets’.
The only real practical use cases I can think of for Active /Active are;
- You have a multi-tenancy environment and want to offer your tenants failover firewall capability.
- You have multiple LAN subnets and what to split them though different firewalls.
What Active/Active Wont Give You
Load balancing: It’s a firewall! If you want load balancing buy a load balancer! People assume because both firewalls are passing traffic, they must load balance, they don’t, in fact they don’t even pass traffic from the same subnet.
VPNS: Yes theres no VPNs with Active Active. (This is 100% the case up to an including version 9.0, after version 9.0 they have stopped saying it’s not supported, but don’t say it’s supported).
Deploy Cisco ASA in Active/Active Failover
Here’s what Im going to setup;
For a more ‘logical’ view heres what is actually being setup;
1. Make sure the Licences are on the firewalls allow multiple contexts. and Active/Active, for 5510, 5512-X, and 5508-X that means Security Plus, for all other models a ‘base’ licence is required. (Note: This CANNOT be done on an ASA 5505 or 5506-X).
2. Put the firewalls in Multiple context mode.
3. Let it reboot.
4. Make sure the firewall is in routed mode, and multiple context mode, repeat on the other firewall.
5. Once ASA1 is backup give it a sensible hostname, and ensure all the physical interfaces (and any sub interfaces) are NOT shutdown, and add then to the relevant VLAN (they are shut down by default).
6. Failover link NEEDS to be configured and used by the SYTEM Context, so its configured here. (Note: I’m using the same physical interface for LAN and Stateful failover information).
7. You can only have TWO failover groups (you can have many contexts, depending on the licence on your firewall).
Note: Unlike Active/Passive the ASA can preempt and ‘fail-back’ automatically.
8. Setup and assign your CONTEXTS (virtual firewalls), to these groups.
The following will show you a summary of the contexts.
10. Now configure vASA1.
11. Now configure vASA2.
12. Go back the the System context and save ALL the changes.
Note: Configuration on the main (physical) firewall is complete, the ‘failover’ configuration needs to now be setup on the second physical ASA.
13. On the ’Secondary’ Physical ASA.
14. Remember failover is off by default, and we have not switched it on, this needs to be done on both of the physical ASA’s (primary and secondary). Note: Make sure the ‘failover’ interface is NOT in a shut down state first!
Note: If building in GNS3 sometimes you need to put a switch in the middle of the ‘backup link’ or the firewalls don’t detect each other!
17. Top Tip: Remember that you need to make the changes on the active firewall context in the correct failover group. Change the firewall prompt to show you all this information.
![Load Load](/uploads/1/2/7/7/127765123/369486026.jpg)
Testing Active/Active Failover
If you change to vASA1 (notice it’s active).
Now change to vASA2, (This ones in standby so DONT make changes here or they wont get replicated / saved).
Note: Moral of the story is you need to be aware what physical firewall you are on (primary or secondary) what mode you are in (active or standby) and what context you are in (vASA1 or vASA2). So in this example to make a change to vASA2 you would need to go to Secondary/Standby/vASA2 to edit the active firewall, (confusing eh! That’s why I change the firewall prompt).
Now you will want to test things, probably by pinging, don’t forget ICMP is not enabled by default an you will need to enable it, (in each context).
Reference: Cisco ASA Series VPN ASDM Configuration Guide – Updated 31/3/2014
Load Balancing Licensing Requirements:
- To use VPN load balancing, you must have an ASA Model 5510 with a Plus license or an ASA Model 5520 or higher.
- VPN load balancing also requires an active 3DES/AES license – The security appliance checks for the existence of this crypto license before enabling load balancing.
Load Balancing Prerequisites:
- You must have first configured the ASA’s public and private interfaces before configuring load balancing.
- You must have previously configured the interface to which the virtual cluster IP address refers.
- All devices that participate in a cluster must share the same cluster-specific values: IP address, encryption settings, encryption key, and port
- All of the outside and inside network interfaces on the load-balancing devices in a cluster must be on the same IP network.
- If you have a remote-client configuration in which you are using two or more ASAs connected to the same network to handle remote sessions, you can configure these devices to share their session load
- Load balancing directs session traffic to the least loaded device, thus distributing the load among all devices.
- Creating Virtual Clusters
- Geographical Load Balancing
- Comparing Load Balancing to Failover
- Load Balancing Licensing Requirements
- Load Balancing Prerequisites
- Eligible Clients
- Configuring Load Balancing (Without the Wizard)
All devices in the virtual cluster carry session load.
One device in the virtual cluster, the virtual cluster master, directs incoming connection requests to the other devices, called backup devices.
- keeps track of how busy each is,
- and distributes the session load accordingly.
The role of virtual cluster master is not tied to a physical device. – One of the backup devices in the cluster takes over that role.
The virtual cluster appears to outside clients as a single virtual cluster IP address. This IP address is not tied to a specific physical device.
A VPN client attempting to establish a connection connects first to this virtual cluster IP address.
The virtual cluster master then sends back to the client the public IP address of the least-loaded available host in the cluster.
- In a second transact ion (transparent to the user) the client connects directly to that host.
Geographical load balancing for VPN often uses a Cisco Global Site Selector (GSS)
- The GSS uses DNS for the load balancing, and the time to live (TTL) value for DNS resolution is defaulted to 20 seconds.
- Increasing to a much higher value allows ample time for the authentication phase when the user is entering credentials and establishing the tunnel.
#Configuring the Public and Private Interfaces for Load Balancing
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.16.1 255.255.255.0
!
ASA-1(config)# vpn load-balancing
ASA-1(config-load-balancing)# interface lbpublic outside >Configure the public interface
ASA-1(config-load-balancing)# interface lbprivate inside >Configure the private interface
ASA-1(config-load-balancing)# priority 8 >(1-10) Higher is more likely to become the virtual cluster master
!
#Configuring the Load Balancing Cluster Attributes
!
ASA-2(config-load-balancing)# cluster ip address 10.10.10.10
ASA-2(config-load-balancing)# cluster port 9023
#################################################
# Optional
#################################################
ASA-2(config-load-balancing)# cluster key Cisco123
ASA-2(config-load-balancing)# cluster encryption
#################################################
Asa Vpn Load Balancing Configuration Tool
ASA-2(config-load-balancing)# participate
Asa Vpn Client
#Configuring the Load Balancing Cluster Attributes
Cisco Asa Vpn Configuration
ASA-1(config-load-balancing)# sh vpn load-balancing