cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
302
Views
0
Helpful
1
Replies

Load balance VPN traffic across three L2 links

JHolmes763
Level 1
Level 1

I've got two ASA5510s that are connected via three L2 links that are grouped into one Etherchannel. Load balancing isn't working since it is determined by the source/destination ip/mac, and that is always the same. The only ip/mac to talk over the L2 links are the ASAs.

Is there any way to fix load balancing with the current configuration?

If I switch the L2 connections to L3, will that help? There'd then be 3 equal costs static routes between the L3 switches. Each ASA would have point-to-point connection to the L3 switch on it's side and static routes would do all of the routing. Given that it's still the same ip/mac doing all of the talking, will load balancing still work across the three L3 links?

One switch is a 3560 and one is a 3550. Both run 12.2(25)SEE1 IOS. The ASA has a boot image of "asa704-12-k8.bin".

Thanks for any help.

---John Holmes...

1 Reply 1

JHolmes763
Level 1
Level 1

These switches won't take the "ip load-sharing per-packet" command on the FE interfaces. I did some tests with another 3550 and 3560 and even though it took the commands, all of the traffic still went over one FE interfact.

I tried different methods of "ip cef load-sharing algorithm", too.

I tried making the two L3 switches OSPF neightbors and even though max-paths was set to 3 and there were 3 equal cost paths to the tunnel destinations on the "ASA"s, all of the traffic flowed over on FE interface between the switches.

The only way I can test this is to open a couple ping windows on a laptop connected to one "ASA", which is really just a router. The two routers have a GRE tunnel through the switches, so the only traffic the switch sees is GRE traffic to/from the same ip/mac. I confirmed this was the only thing going out the interface towards the switch by using "show ip cache flow".

Three trunking ports didn't do any good, either. I assume two of them would have just gone into blocking, anyhow.

Thanks for any help. :)

-John

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco