Asa Vpn Load Balancing Site To Site

I have 2 ASA 5520 configured as ActiveStandby Failover, and I configured as well Remote VPN and Site-Site VPN and its done successfully, so Im asking if I can configure VPN Load balancing fea. @Don't buy #Preview Shop for Low Price Cisco Asa Site To Site Vpn Load Balancing And Cisco Asa Vpn Sip Rewrite. Shop for Cisco Asa Site To Site Vpn Configuration Step By Step And Asa Load Balancing Vpn Ads Immediately. Re: ASA Load-balancing/Cluster and the VPNs. ASA can load balance remote access VPN (IP. Sec, Clientless VPN, and Client SSL VPN). Site-to-Site and L2TP/IPSec don't participate in LB algorithm. You mus use the real IP of the the ASA for Site-to-Site and L2TP/IPsec sessions. It can be the real IP of the master ASA or any of the cluster.

• Cisco Vpn Site To Site
• Site To Site Vpn Setup
• Cisco Vpn Load Balancing
• Site To Site Vpn Service
• Asa Vpn Load Balancing Site To Site Website
• Asa Vpn Load Balancing

Introduction

This document describes the Director Election process in a VPN load-balancing scenario with the Cisco 5500-X Series Adaptive Security Appliance (ASA).

Prerequisites

Requirements

There are no specific requirements for this document.

Share your videos with friends, family, and the world. Videos about the saints. Biographies of the saints. Learn about the saints of the Catholic Church by watching these informative videos. Our Father, Saints, Prayers, Coloring Books, Novenas, Espanol and more. All FREE to download and faithful to the Magisterium. FREE CATHOLIC MOVIES - ST. AUGUSTINE - RESTLESS HEART - WATCH FREE CATHOLIC MOVIES - ST. Will be showing some of the Best Catholic Films of all time. Here is the drama of ST. AUGUSTINE in English: FOR AMAZING FREE MOVIES LIKE US ON FACEBOOK NOW. Novena to Saint Cajetan for Work - Patron of #Unemployed - Share this Miracle. This very important video was made for Catholics and to present the Catholic Faith to non-Catholics. It has influenced non-Catholics to convert to the Catholic Faith. It disproves evolution, shows evidence of a world-wide flood, covers Biblical miracles, modern-day miracles, Eucharistic miracles, incorrupt bodies of saints and the Shroud of Turin.

Components Used

The information in this document is based on the Cisco ASA 5500-X that runs software Version 9.2.

Note: This document also applies to all software versions, since the feature was first introduced in Version 7.0(1).

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information

VPN load balancing is a mechanism that is used in order to equitably distribute network traffic among the devices in a virtual cluster. Load balancing is based on simple distribution; it does not take in to account throughput utilization or other factors. A load-balancing cluster consists of two or more devices, a director and one or more secondary devices, and these devices do not have to be configured identically.

Load-Balancing Algorithm

Here is an overview of the load-balancing algorithm:

• The director device maintains a sorted list of secondary cluster members in ascending order of inside IP addresses.
  
• The load is computed as an integer percentage (number of active/maximum sessions) that is supplied by each secondary cluster member.
  
• The director device redirects the IPSec/Secure Sockets Layer (SSL) VPN tunnel to a device with the lowest load first, until it is one percent higher than the other devices.
  
• The director device redirects to itself only when all of the secondary cluster members are one percent higher than the director device.

Here is an example with one director and two secondary cluster members:

• All nodes begin with a zero-percent load, and all percentages are rounded to the nearest half-percent.
  
• The director device takes the connection if all of the members have a load that is one percent higher than the director device.
  
• If the director device does not take the connection, the session is taken by the backup device that currently has the smallest load percentage.
  
• If all of the members have the same load percentage, then the backup device with the least amount of sessions takes the session.
  
• If all of the members have the same load percentage and the same number of sessions, then the backup device with the least amount of IP addresses takes the session.

Director Election Process

The VPN load balancing Director Election process is performed on the cluster outside network. There are two types of data exchanged on the outside network:

• Address Resolution Protocol (ARP) packets for the cluster IP address that are used for director discovery are exchanged. The maximum number of ARP packets that are sent for the cluster IP address in order to discover the director is:
  (10 - priority) + 1
  Here, priority is configured as in the priority subcommand of the vpn load-balancing CLI command.
  
• UDP packets on the outside for the Hello request/response messages are exchanged. The port number is specified in the cluster port load-balancing subcommand and is default to 9023.

As an example, if the priority is five for a load-balancing device, it attempts to send up to six ARP packets in order to see if any director device owns the cluster IP address. If a director device is detected, the ASA does not send any more ARP messages and waits 15 seconds before it sends the UDP Hello request. The director device then responds with an UDP Hello response.

Caveat for Reboot Scenarios

In a reboot situation with two ASAs in a load-balancing cluster:

• Either ASA-1 or ASA-2 was the director before the reboot.
  
• ASA-1 is rebooted.
  
• ASA-2 becomes the director if it was not the director previously.
  
• ASA-1 simply joins the cluster as a member after reboot.

The load-balancing algorithm might be affected by a configuration of the switch where the outside interface of the cluster devices are connected also. For example, a Spanning-Tree algorithm might cause connectivity delay when the device that is connected to the switch is rebooted.

Tip: The spanning-tree port fast command helps to speed up the process.

Cisco Vpn Site To Site

In some cases, a newly rebooted ASA that has load balancing enabled might attempt to become the director device (even if a director device already exists) because it cannot reach the current director device due to a connectivity delay in the switch. When there is a directorship conflict detected as a result of ARP collision, the ASA with a low Media Access Control (MAC) address wins, while the ASA with a higher MAC address gives up the director device role.

Director Reelection Process

There are two situations that cause a reelection of the director device.

Site To Site Vpn Setup

Director Device Removed from the Cluster

When you disable the feature on the ASA, a broadcast message is sent to all of the cluster members in order to inform of the change, and the previously described election process is performed.

Director Device does Not Respond to Cluster Member Hello Messages

Components Used

The information in this document is based on the Cisco ASA 5500-X that runs software Version 9.2.

Note: This document also applies to all software versions, since the feature was first introduced in Version 7.0(1).

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information

VPN load balancing is a mechanism that is used in order to equitably distribute network traffic among the devices in a virtual cluster. Load balancing is based on simple distribution; it does not take in to account throughput utilization or other factors. A load-balancing cluster consists of two or more devices, a director and one or more secondary devices, and these devices do not have to be configured identically.

Load-Balancing Algorithm

Here is an overview of the load-balancing algorithm:

• The director device maintains a sorted list of secondary cluster members in ascending order of inside IP addresses.
  
• The load is computed as an integer percentage (number of active/maximum sessions) that is supplied by each secondary cluster member.
  
• The director device redirects the IPSec/Secure Sockets Layer (SSL) VPN tunnel to a device with the lowest load first, until it is one percent higher than the other devices.
  
• The director device redirects to itself only when all of the secondary cluster members are one percent higher than the director device.

Here is an example with one director and two secondary cluster members:

• All nodes begin with a zero-percent load, and all percentages are rounded to the nearest half-percent.
  
• The director device takes the connection if all of the members have a load that is one percent higher than the director device.
  
• If the director device does not take the connection, the session is taken by the backup device that currently has the smallest load percentage.
  
• If all of the members have the same load percentage, then the backup device with the least amount of sessions takes the session.
  
• If all of the members have the same load percentage and the same number of sessions, then the backup device with the least amount of IP addresses takes the session.

Director Election Process

The VPN load balancing Director Election process is performed on the cluster outside network. There are two types of data exchanged on the outside network:

• Address Resolution Protocol (ARP) packets for the cluster IP address that are used for director discovery are exchanged. The maximum number of ARP packets that are sent for the cluster IP address in order to discover the director is:
  (10 - priority) + 1
  Here, priority is configured as in the priority subcommand of the vpn load-balancing CLI command.
  
• UDP packets on the outside for the Hello request/response messages are exchanged. The port number is specified in the cluster port load-balancing subcommand and is default to 9023.

As an example, if the priority is five for a load-balancing device, it attempts to send up to six ARP packets in order to see if any director device owns the cluster IP address. If a director device is detected, the ASA does not send any more ARP messages and waits 15 seconds before it sends the UDP Hello request. The director device then responds with an UDP Hello response.

Caveat for Reboot Scenarios

In a reboot situation with two ASAs in a load-balancing cluster:

• Either ASA-1 or ASA-2 was the director before the reboot.
  
• ASA-1 is rebooted.
  
• ASA-2 becomes the director if it was not the director previously.
  
• ASA-1 simply joins the cluster as a member after reboot.

The load-balancing algorithm might be affected by a configuration of the switch where the outside interface of the cluster devices are connected also. For example, a Spanning-Tree algorithm might cause connectivity delay when the device that is connected to the switch is rebooted.

Tip: The spanning-tree port fast command helps to speed up the process.

Cisco Vpn Site To Site

In some cases, a newly rebooted ASA that has load balancing enabled might attempt to become the director device (even if a director device already exists) because it cannot reach the current director device due to a connectivity delay in the switch. When there is a directorship conflict detected as a result of ARP collision, the ASA with a low Media Access Control (MAC) address wins, while the ASA with a higher MAC address gives up the director device role.

Director Reelection Process

There are two situations that cause a reelection of the director device.

Site To Site Vpn Setup

Director Device Removed from the Cluster

When you disable the feature on the ASA, a broadcast message is sent to all of the cluster members in order to inform of the change, and the previously described election process is performed.

Director Device does Not Respond to Cluster Member Hello Messages

If the director device does not respond to a cluster member Hello message, it takes an ASA cluster member approximately 20 seconds to detect that the director is no longer present. The Hello messages are sent every five seconds (not configurable). If cluster members do not receive a response from the director device after four Hello messages, then the election process is triggered.

Cisco Vpn Load Balancing

Troubleshoot

Note: Refer to the Important Information on Debug Commands Cisco article before you use debug commands.

Site To Site Vpn Service

These debug commands can be useful with attempts to troubleshoot issues with your system:

Asa Vpn Load Balancing Site To Site Website

• debug fsm 255 - Use this command in order to activate the general Finite State Machine debug. Enter the no debug all command in order to deactivate.
  
• debug menu vpnlb 3 - Use this command in order to activate the VPN load balancing debug trace. Enter the debug menu vpnlb 3 command once again in order to deactivate.
  
• debug menu vpnlb 4 - Use this command in order to activate the VPN load balancing function trace. Enter the debug menu vpnlb 4 command once again in order to deactivate.

Asa Vpn Load Balancing

Related Information