Vpn load-balancing cluster configurations – Cisco ASA 5505 User Manual

Page 1417

Advertising
background image

66-9

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 66 Setting General VPN Parameters

Understanding Load Balancing

master device redirects the IPsec and SSL VPN tunnel to the device with the lowest load until it is 1%
higher than the rest. When all backup cluster members are 1% higher than the master, the master device
redirects to itself.

For example, if you have one master and two backup cluster members, the following cycle applies:

Note

All nodes start with 0%, and all percentages are rounded half-up.

1.

The master device take s the connection if all members have a load at 1% higher than the master.

2.

If the master does not take the connection, the session is taken by whichever backup device has the
least load percentage.

3.

If all members have the same percentage load, the backup device with the least number of sessions
gets the session.

4.

If all members have the same percentage load and the same number of sessions, the device with the
least IP addresses gets the session.

VPN Load-Balancing Cluster Configurations

A load-balancing cluster can consist of ASAs of the same release, of mixed releases, as well as VPN
3000 concentrators, or a mixture of these, subject to the following restrictions:

Load-balancing clusters that consist of same release ASAs or all VPN 3000 concentrators can run
load balancing for a mixture of IPsec, AnyConnect, and clientless SSL VPN sessions.

Load-balancing clusters that consist of both same release ASAs and VPN 3000 concentrators can
run load balancing for a mixture of IPsec, AnyConnect, and clientless SSL VPN client and clientless
sessions.

Load-balancing clusters that include mixed release ASAs or same release ASAs and VPN 3000
concentrators or both can support only IPsec sessions. In such a configuration, however, the ASAs
might not reach their full IPsec capacity.

Scenario 1: Mixed Cluster with No SSL VPN Connections

,

illustrates this situation.

Since Release 7.1(1), IPsec and SSL VPN sessions count or weigh equally in determining the load that
each device in the cluster carries. This is a change from the load-balancing calculation for the ASA
Release 7.0(x) software and the VPN 3000 concentrator. Both platforms use a weighting algorithm that
on some hardware platforms calculates the SSL VPN session load differently from the IPsec session
load.

The virtual master of the cluster assigns session requests to the members of the cluster. The ASA regards
all sessions, SSL VPN or IPsec, as equal and assigns them accordingly. You can configure the number
of IPsec and SSL VPN sessions to allow up to the maximum allowed by your configuration and license.
See

Configuring VPN Session Limits

for a description of how to set these limits.

We have tested up to ten nodes in a load-balancing cluster. Larger clusters might work, but we do not
officially support such topologies.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals