VPN load balancing and ASA !!!

Unanswered Question
Jun 7th, 2007
User Badges:
  • Gold, 750 points or more

Hi netpros,

I have a couple of questions about this and hope you might be able to assist me.

1.- Are VPN load balancing and failover (Active/Active) mutually exclusive ..? I mean they can't be used at the same time correct ..?

2.- How does the ASA handle the return traffic from the Internal LAN towards the remote client .. Because the cluster only requires ONE public virtual IP address, which will work for incoming packets .. but what about the return traffic which has knowledge of the DHCP scope's default gateway IP address only .. ? How gets the returned packet redirected from the default gateway IP address to the respective ASA internal IP address .?

3.- VPN load balancing only applies to remote clients using easy VPN technology (easy vpn client, hardware client , pIX using easy vpn client etc ) and does not work with static LAN-LAN tunnel .. correct ..?

Your comments are much appreciated

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (4 ratings)
ggilbert Fri, 06/08/2007 - 06:24
User Badges:
  • Cisco Employee,


1. You are correct - They cant be used at the same time.

2. When the VPN client connects to the Virtual IP address, the connection is sent to the active ASA by re-directing the connection of the client to the correct IP address of the active ASA. So, when the connection gets established its really to the active ASA external IP address.

Hope this helps.



Fernando_Meza Sat, 06/09/2007 - 02:27
User Badges:
  • Gold, 750 points or more

Hi Gilbert ..

1.- Thanks I wanted to make sure.

2.- I know that .. my question is in regards the return packets .. for example if I have the below IP schema:

ASA1: Public


ASA2: Public


Cluster virutal IP:

Default gateway for segment is

Let's say that a vpn client tries to connect and the cluster instructs the client to connect to ASA2 The packets reach the internal server at The internal server then sends the return packets back to the client by forwarding them to its default gateway which is (ASA1). Here is my question .. how does the cluster handles this because the return packet are supposed to be directed to ASA2

3.- Any idea about this one ..?


ggilbert Mon, 06/11/2007 - 13:15
User Badges:
  • Cisco Employee,

2. You have to do "reverse-route injection"

So, there should be some kind of a routing device on the internal network that can run OSPF or RIP and your clients IP address will be populated correctly to the ASA that is terminating the connection.

3. Only Remote access.



DALI WANG Fri, 07/27/2007 - 06:06
User Badges:

Hi Glibert, as we know ASA code 8.0 start supporting EIGRP. Can ASA use EIGRP for Reverse-route Injection with downsteam routers who run EIGRP also?



netsec123 Fri, 08/10/2007 - 20:17
User Badges:

Hi guys. We, too are trying to use Failover VPN tunnels. When the first ISP goes down, we are using the TRACK command to use the 2nd ISP. HOWEVER, when that occurs we cannot see the 2nd tunnel [backup tunnel] come up to the remote peer. :( Any ideas?

kloc_marek Tue, 01/29/2008 - 12:50
User Badges:

2. You can create two separate ip pools for each ASA boxes, and then set up appropriate routing on inside hosts(or router if apply) for return traffic.




This Discussion