Prerequisites, Eligible platforms, Eligible clients – Cisco ASA 5505 User Manual

Page 1416: Vpn load-balancing algorithm

Advertising
background image

66-8

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 66 Setting General VPN Parameters

Understanding Load Balancing

Note

VPN load balancing requires an active 3DES/AES license. The ASA checks for the existence of this
crypto license before enabling load balancing. If it does not detect an active 3DES or AES license, the
ASA prevents the enabling of load balancing and also prevents internal configuration of 3DES by the
load balancing system unless the license permits this usage.

Prerequisites

Load balancing is disabled by default. You must explicitly enable load balancing.

You must have first configured the public (outside) and private (inside) interfaces and also have
previously configured the interface to which the virtual cluster IP address refers. You can use the
interface and nameif commands to configure different names for these interfaces. Subsequent
references in this section use the names outside and inside.

All devices that participate in a cluster must share the same cluster-specific values: IP address,
encryption settings, encryption key, and port.

Eligible Platforms

A load-balancing cluster can include ASA models ASA 5510 (with a Plus license) and Model 5520 and
above. You can also include Cisco VPN 3000 series concentrators in the cluster. While mixed
configurations are possible, administration is generally simpler if the cluster is homogeneous.

Eligible Clients

Load balancing is effective only on remote sessions initiated with the following clients:

Cisco AnyConnect VPN client (Release 2.0 and later)

Cisco VPN Client (Release 3.0 and later)

Cisco ASA 5505 ASA (when acting as an Easy VPN client)

Cisco VPN 3002 hardware client (Release 3.5 or later)

Cisco PIX 501/506E when acting as an Easy VPN client

Cisco IOS EZVPN client devices supporting IKE-redirect (IOS 831/871)

Clientless SSL VPN (not a client)

Load balancing works with IPsec clients and SSL VPN client and clientless sessions. All other VPN
connection types (L2TP, PPTP, L2TP/IPsec), including LAN-to-LAN, can connect to an ASA on which
load balancing is enabled, but they cannot participate in load balancing.

VPN Load-Balancing Algorithm

The master device maintains a sorted list of backup cluster members in ascending IP address order. The
load of each backup cluster member is computed as an integer percentage (the number of active
sessions). AnyConnect inactive sessions do not count towards the SSL VPN load for load balancing. The

Advertising