Frequently asked questions about load balancing, Ip address pool exhaustion, Unique ip address pools – Cisco ASA 5505 User Manual

66-14

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 66 Setting General VPN Parameters

Configuring Load Balancing

For example:

hostname(config)# vpn load-balancing

hostname(config-load-balancing)# redirect-fqdn enable

hostname(config-load-balancing)#

Step 2

Add an entry for each of your ASA outside interfaces into your DNS server if such entries are not already
present. Each ASA outside IP address should have a DNS entry associated with it for lookups. These
DNS entries must also be enabled for reverse lookup.

Step 3

Enable DNS lookups on your ASA with the dns domain-lookup inside command or whichever interface
has a route to your DNS server.

Step 4

Define your DNS server IP address on the ASA; for example: dns name-server 10.2.3.4 (IP address of
your DNS server).

The following is an example of a VPN load balancing command sequence that includes an interface
command that enables redirection for a fully qualified domain name, specifies the public interface of the
cluster as test and the private interface of the cluster as foo”

hostname(config)# interface GigabitEthernet 0/1

hostname(config-if)# ip address 209.165.202.159 255.255.255.0

hostname(config)# nameif test

hostname(config)# interface GigabitEthernet 0/2

hostname(config-if)# ip address 209.165.201.30 255.255.255.0

hostname(config)# nameif foo

hostname(config)# vpn load-balancing

hostname(config-load-balancing)# nat 192.168.10.10

hostname(config-load-balancing)# priority 9

hostname(config-load-balancing)# interface lbpublic test

hostname(config-load-balancing)# interface lbprivate foo

hostname(config-load-balancing)# cluster ip address 209.165.202.224

hostname(config-load-balancing)# cluster key 123456789

hostname(config-load-balancing)# cluster encryption

hostname(config-load-balancing)# cluster port 9023

hostname(config-load-balancing)# redirect-fqdn enable

hostname(config-load-balancing)# participate

Frequently Asked Questions About Load Balancing

IP Address Pool Exhaustion

Q: Does the ASA consider IP address pool exhaustion as part of its VPN load-balancing method?

A: No. If the remote access VPN session is directed to a device that has exhausted its IP address pools,
the session does not establish. The load-balancing algorithm is based on load, and is computed as an
integer percentage (number of active and maximum sessions) that each backup cluster member supplies.

Unique IP Address Pools

Q: To implement VPN load balancing, must the IP address pools for AnyConnect clients or IPsec clients
on different ASAs be unique?

A: Yes. IP address pools must be unique for each device.