Asa Vpn Cluster Load Balancing

The administrator configures load-balancing on each security appliance. The following are the steps to configure load-balancing for remote access VPN.

Step 1 Log in to the Cisco ASA using ASDM.

Step 2 On the main menu, choose Wizards.

Cisco ASA VPN Load Balancing is a mechanism used to distribute Remote Access VPN connections equal amongst the ASA devices in the virtual cluster. One ASA device in the cluster is defined as the “master”, which redirects connection requests to the other devices. Shop for Best Price Cisco Asa Vpn Load Balancing Cluster Configurations And Cisco Asa Vpn Performance. Cisco Asa Vpn Load Balancing Cluster Configurations And How To Configure Vpn On Iphone 5 See Price 2019Ads, Deals and Sales.

Step 3 Choose the High Availability and Scalability Wizard.

Cisco Asa Vpn Load Balancing

Step 4 The High Availability and Scalability Wizard starts. The screen shown in Figure 12-69 is displayed. Click Configure VPN Cluster Load Balancing, as shown in Figure 12-69.

Figure 12-69 High Availability and Scalability Wizard

Figure 12-69 High Availability and Scalability Wizard

Step 5 Click Next.

Step 6 The screen shown in Figure 12-70 is displayed. Enter the cluster IP

address. The cluster IP address is the virtual address that VPN clients will use to connect to the cluster. In this example, the cluster IP address is 209.165.202.131.

Figure 12-70 VPN Cluster Load-Balancing Configuration

Figure 12-70 VPN Cluster Load-Balancing Configuration

Step 7 Enter a UDP port for load-balancing communication between all Cisco ASAs within the cluster. In this example, the default UDP port (9023) is used.

Step 8 Optionally, you can encrypt all VPN load-balancing traffic. Check the Enable IPsec encryption option to enable encryption.

Step 9 Configure a preshared secret. In this example, the preshared secret is 2wsx1qaz.

Step 10 The priority is set to 5. The higher the priority, the more commonly that this ASA will become the master of the cluster.

Step 11 The public interface is the outside interface in this example. The private interface is the inside interface, as shown in Figure 12-70.

Asa Vpn Cluster Load Balancing Balancer

Step 12 Click Next.

Balancing

Step 13 A summary screen is displayed.

Step 14 Click Finish to apply the configuration to the Cisco ASA.

Example 12-13 shows the Cisco ASA remote access VPN and load-balancing CLI configuration.

Example 12-13 Cisco ASA Remote Access VPN and Load-Balancing Configuration hostname asa-1 !

interface GigabitEthernet0/0 description Outside interface connected to the Internet nameif outside security-level 0

ip address 209.165.202.129 255.255.255.0

Asa Vpn Cluster Load BalancingAsa Vpn Cluster Load Balancing

interface GigabitEthernet0/1 description Inside interface connected to corporate network nameif inside security-level 100

ip address 10.250.10.1 255.255.255.0

interface Management0/0 nameif management security-level 0

ip address 10.250.30.1 255.255.255.0 management-only

!Split tunneling ACL

access-list IPSEC-RA-GROUP_splitTunnelAcl standard permit 10.250.10.0 255.255.255.0 !ACL to bypass NAT for remote access VPN connections access-list inside_nat0_outbound extended permit ip 10.250.10.0 255.255.255.0 10.250.50.0 255.255.255.0

!IP address pool for remote access VPN clients ip local pool IPSec-Pool 10.250.50.1-10.250.50.254 mask 255.255.255.0 !

!NAT configuration nat (inside) 0 access-list inside_nat0_outbound !

!RADIUS Configuration for remote access VPN authentication aaa-server RADIUS-Server protocol radius aaa-server RADIUS-Server (management) host 172.18.85.181 timeout 5 key cisco123

!Crypto map configuration crypto ipsec transform-setESP-AES-256-SHA esp-aes-256 esp-sha-hmaccrypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside continues

Example 12-13 Cisco ASA Remote Access VPN and Load-Balancing Configuration (Continued) !

!ISAKMP enabled on the outside interface crypto isakmp enable outside !ISAKMP policy for Remote Access VPN crypto isakmp policy 10 authentication pre-share encryption aes-256 hash sha group 5

Cisco asa vpn load balancing

lifetime 86400

!Load-balancing Configuration vpn load-balancing cluster key 2wsx1qaz cluster ip address 209.165.202.131 cluster encryption participate

!Remote Access Group Configuration group-policy IPSEC-RA-GROUP internal group-policy IPSEC-RA-GROUP attributes wins-server value 172.18.124.14 172.18.124.15 dns-server value 172.18.124.12 172.18.124.13 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value IPSEC-RA-GROUP_splitTunnelAcl default-domain value companyc.com tunnel-group IPSEC-RA-GROUP type remote-access tunnel-group IPSEC-RA-GROUP general-attributes address-pool IPSec-Pool authentication-server-group RADIUS-Server default-group-policy IPSEC-RA-GROUP tunnel-group IPSEC-RA-GROUP ipsec-attributes pre-shared-key *

Was this article helpful?

With code 9.7 released Cisco decided to add two VERY important features. Route based VPN with VTIs, and bridge groups! This article will show a quick configuration of a route based VPN with ASAs! Previously to do something like this you would need to build a GRE tunnel over IPSEC with a second router terminating GRE.

Notice: Currently OSPF, and EIGRP are not yet supported to run over the tunnel interface. Even with the static neighborship command. The tunnel interface won’t turn to a point-to-point link. So as of 2/19/2017 we must use BGP to advertise over this tunnel. Or we can just use static routes. Also BFD is not supported on the tunnel interfaces yet.

Update: as of 9.9.2 BGP is still the only supported protocol, which is not really an issue as we can always redistribute

I was able to get this to work with 0 packet loss!

Here’s a tease of an up VTI!

Network Diagram:

First of all let’s apply some good practice config’s to make this tunnel a little more stable and perform better.

Apply the following to both ASA’s:

Asa vpn load balancing/clustering with digital certificates deployment guide

the first command clamps the TCP MSS/payload to 1350 bytes, and the second command keeps stateful connections even if the vpn temporarily drops.

North ASA config:

South ASA config:

Note: As of code 9.8.1 IKEv2 is now supported as well, if you’re interested in the IKEv2 version for the config, please see below:
assume this is just one side and the wan on the other ASA’s WAN IP is 2.0.0.2 in the below example.

Let’s discuss the config above. There’s a lot going on here. Eachtunnel interface gets its own tunnel-group. They are sharing an ipsec profile. The VTI’s subnets are 10.10.10.0/24 and 10.10.11.0/24. With the VTIs up we now have point to point links we can route over to the other side. Static OSPF or EIGRP neighborships would fit best here. However like I said above they are not supported yet. Thus we need to use BGP. We then configured BGP with private ASNs. We then advertised the LAN subnets to our neighbors and made sure the ASA is their next hop. The BGP feature added was maximum-paths to allow for per session load balancing. We need the static routes for the secondary tunnels because our default route is pointintg towards ISP 1. If we don’t have it then our secondary tunnels will need to renegotiate and failover won’t be so smooth.

Here’s what the routing table looks like now from the North ASA. Notice the BGP route listed twice? That’s because we enabled multipath/maximum paths.

Now let’s test failing over the tunnel interfaces by shutting down the WAN.

Notice the second tunnel is still up

Cisco Vpn Load Balancing

We get no ping loss to a host on the other wend of the other ASA, 10.0.1.10.

Cisco Vpn Clustering And Load Balancing

Cisco documentation for reference