63-22
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 63 Configuring IKE, Load Balancing, and NAC
Configuring Load Balancing
Scenario 1: Mixed Cluster with No SSL VPN Connections
In this scenario, the cluster consists of a mixture of adaptive security appliances and VPN 3000
Concentrators. Some of the adaptive security appliance cluster peers are running ASA Release 7.0(x),
and some are running Release 7.1(1). The pre-7.1(1) and VPN 3000 peers do not have any SSL VPN
connections, and the 7.1(1) cluster peers have only the base SSL VPN license, which allows two SSL
VPN sessions, but there are no SSL VPN connections. In this case, all the connections are IPsec, and
load balancing works fine.
The two SSL VPN licenses have a very small effect on the user’s taking advantage of the maximum IPsec
session limit, and then only when a VPN 3000 Concentrator is the cluster master. In general, the smaller
the number of SSL VPN licenses is on a adaptive security appliance in a mixed cluster, the smaller the
effect on the ASA 7.1(1) device being able to reach its IPsec session limit in a scenario where there are
only IPsec sessions.
Scenario 2: Mixed Cluster Handling SSL VPN Connections
Suppose, for example, a adaptive security appliance running ASA Release 7.1(1) software is the initial
cluster master; then that device fails. Another device in the cluster takes over automatically as master
and applies its own load-balancing algorithm to determine processor loads within the cluster. A cluster
master running ASA Release 7.1(1) software cannot weight session loads in any way other than what
that software provides. Therefore, it cannot assign a combination of IPsec and SSL VPN session loads
properly to ASA devices running earlier versions nor to VPN 3000 Concentrators. Conversely, a VPN
3000 Concentrator acting as the cluster master cannot assign loads properly to an ASA Release 7.1(1)
adaptive security appliance. The following scenario illustrates this dilemma.
This scenario is similar to the previous one, in that the cluster consists of a mixture of adaptive security
appliances and VPN 3000 Concentrators. Some of the adaptive security appliance cluster peers are
running ASA Release 7.0,(x) and some are running Release 7.1(1). In this case, however, the cluster is
handling SSL VPN connections as well as IPsec connections.
If a device that is running software earlier than ASA Release 7.1(1) is the cluster master, the master
applies the protocol and logic in effect prior to Release 7.1(1). That is, sessions might be directed to
load-balancing peers that have exceeded their session limit. In that case, the user is denied access.
If the cluster master is a device running ASA Release 7.0(x) software, the old session-weighting
algorithm applies only to the pre-7.1(1) peers in the cluster. No one should be denied access in this case.
Because the pre-7.1(1) peers use the session-weighting algorithm, they are more lightly loaded.
An issue arises, however, because you cannot guarantee that the 7.1(1) peer is always the cluster master.
If the cluster master fails, another peer assumes the role of master. The new master might be any of the
eligible peers. Because of the innately unpredictability of the results, we recommend that you avoid
configuring this type of cluster.
Comparing Load Balancing to Failover
Both load balancing and failover are high-availability features, but they function differently and have
different requirements. In some circumstances you can use both load balancing and failover. The
following sections describe the differences between these features.
Load balancing is a mechanism for equitably distributing remote-access VPN traffic among the devices
in a virtual cluster. It is based on simple distribution of traffic without taking into account throughput or
other factors. A load-balancing cluster consists of two or more devices, one of which is the virtual
master, and the others backup. These devices do not need to be of the exact same type, or have identical
software versions or configurations. All active devices in a virtual cluster carry session loads. Load
balancing directs traffic to the least loaded device in the cluster, distributing the load among all devices.
It makes efficient use of system resources and provides increased performance and high availability.
To Next Page
Loading...
Need help?
General
