VPN loadbalancing with ASA 5520

Unanswered Question
Jun 12th, 2008

Hi Guys,

We are planning to deploy ASA 5520 in Active/Standby mode to serve our firewall requirements. At the same time same ASAs are even required to handle remote access VPN using IPSEC. Is it possible to configure VPN load balancing (VCA) in active/standby mode or i need two independent ASA/Firewall to do vpn load balancing.

Many thanks in advance .. Cheers


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
francisco_1 Fri, 06/13/2008 - 01:02

The security appliance supports two failover configurations: Active/Active Failover and Active/Standby Failover. Each failover configuration has its own method to determine and perform failover. With Active/Active Failover, both units can pass network traffic. This lets you configure load balancing on your network. Active/Active Failover is only available on units that run in multiple context mode. With Active/Standby Failover, only one unit passes traffic while the other unit waits in a standby state. Active/Standby Failover is available on units that run in either single or multiple context mode. Both failover configurations support stateful or stateless (regular) failover.

so in your case, vpn load balancing is not possible in active / standby mode because only one ASA is active

Active/Active mode will do it.

According to the manual (and actual hands on):

VPNs work only in single, routed mode. VPN functionality is unavailable in configurations that include either security contexts, also referred to as multi-mode firewall, or Active/Active stateful failover.

The exception to this caveat is that you can configure and use one connection for administrative purposes to (not through) the security appliance in transparent mode.

Moreover: when the security appliance is configured for Active/Active stateful failover, you cannot enable IPSec

or SSL VPN. Therefore, these features are unavailable. VPN failover is available for Active/Standby

failover configurations only.

I don't even need to tell you how sad I am because of that. Whatever.... life must go on...

If anybody knows something or has some sort of workaround, other than investing in two more Cisco ASA units dedicated to VPN functionality, please let me know!


Roman Rodichev Fri, 08/22/2008 - 08:35

yes, no vpn in active/active... but i guess the question is can you do "vpn load balancing" in the active/standby configuration? I haven't tried it, but cisco's documentation says

"The security appliance also provides load balancing, which is different from failover. Both failover and load balancing can exist on the same configuration."

This load balancing they are referring to is VPN load balancing feature (not Active/Active failover). I haven't actually tried it, but would be curious to know if it works. This problem is actually huge, because if it doesn't work, then customer would have to buy twice as many SSL VPN licenses if their ASA pair has FW failover configured

Roman Rodichev Fri, 08/22/2008 - 13:39

Confirmed and tested

You can not do VPN load balancing if you have failover enabled. If VPN load balancing is enabled and then you enable failover, VPN load balancing databases loses the standby peer.

The following statement in cisco's ASA config guide is NOT true:

"The security appliance also provides load balancing, which is different from failover. Both failover and load balancing can exist on the same configuration."

And I'm sure they are referring to VPN load balancing and not to Active/Active load balancing, because the URL link after that statement goes directly to the VPN load balancing section of the ASA configuration guide


This Discussion