VPN load balancing and ASA !!!

Fernando_Meza · ‎06-07-2007

Hi netpros,

I have a couple of questions about this and hope you might be able to assist me.

1.- Are VPN load balancing and failover (Active/Active) mutually exclusive ..? I mean they can't be used at the same time correct ..?

2.- How does the ASA handle the return traffic from the Internal LAN towards the remote client .. Because the cluster only requires ONE public virtual IP address, which will work for incoming packets .. but what about the return traffic which has knowledge of the DHCP scope's default gateway IP address only .. ? How gets the returned packet redirected from the default gateway IP address to the respective ASA internal IP address .?

3.- VPN load balancing only applies to remote clients using easy VPN technology (easy vpn client, hardware client , pIX using easy vpn client etc ) and does not work with static LAN-LAN tunnel .. correct ..?

Your comments are much appreciated

ggilbert · ‎06-08-2007

Fernando,

1. You are correct - They cant be used at the same time.

2. When the VPN client connects to the Virtual IP address, the connection is sent to the active ASA by re-directing the connection of the client to the correct IP address of the active ASA. So, when the connection gets established its really to the active ASA external IP address.

Hope this helps.

Cheers

Gilbert

Fernando_Meza · ‎06-09-2007

Hi Gilbert ..

1.- Thanks I wanted to make sure.

2.- I know that .. my question is in regards the return packets .. for example if I have the below IP schema:

ASA1: Public 20.20.20.20

Private 192.168.1.1

ASA2: Public 20.20.20.21

Private 192.168.1.2

Cluster virutal IP: 20.20.20.10

Default gateway for segment 192.168.1.0 is 192.168.1.1

Let's say that a vpn client tries to connect and the cluster instructs the client to connect to ASA2 20.20.20.21. The packets reach the internal server at 192.168.1.100. The internal server then sends the return packets back to the client by forwarding them to its default gateway which is 192.168.1.1 (ASA1). Here is my question .. how does the cluster handles this because the return packet are supposed to be directed to ASA2 192.168.1.2

3.- Any idea about this one ..?

Cheers,

ggilbert · ‎06-11-2007

2. You have to do "reverse-route injection"

So, there should be some kind of a routing device on the internal network that can run OSPF or RIP and your clients IP address will be populated correctly to the ASA that is terminating the connection.

3. Only Remote access.

Cheers,

Gilbert

DALI WANG · ‎07-27-2007

Hi Glibert, as we know ASA code 8.0 start supporting EIGRP. Can ASA use EIGRP for Reverse-route Injection with downsteam routers who run EIGRP also?

thanks,

David

netsec123 · ‎08-10-2007

Hi guys. We, too are trying to use Failover VPN tunnels. When the first ISP goes down, we are using the TRACK command to use the 2nd ISP. HOWEVER, when that occurs we cannot see the 2nd tunnel [backup tunnel] come up to the remote peer. :( Any ideas?

kloc_marek · ‎01-29-2008

2. You can create two separate ip pools for each ASA boxes, and then set up appropriate routing on inside hosts(or router if apply) for return traffic.

Cheers,

mk