Load Balancing

Unanswered Question
Jul 16th, 2008

Hi, I have Two ASA Fw and two different ISP leased lines. Now I want to create VPN tunnel site to site with DC and it will work. Its fine. Now I want to use both ASA and both ISP lines will be use for both ASA boxes and I will create the Tunnel. Now if I connect my inside network with both firewall then will it work? I want load balancing between ISP links and load Balancing of VPN tunnel. The configuration is in below:-

FW 1 outside interface

FW 1 Inside Interface

FW 2 Outside interface

FW 2 Inside Interface

Now if I assign the gateway on client machines then traffic moves from FW1 and if I use then traffic will move from second Fw. Now I want the traffic will use both interface and 50-50 % traffic could divert. Is it possible then please tell us what shd i do? Will it be work if I install one router between local lan and FW. Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
a.alekseev Wed, 07/16/2008 - 09:44

From where to where are you going to do loadbalancing?

could you show the planned topology?

elderr Wed, 07/16/2008 - 10:13

Are you using the ASA's in an Active/Active failover?

nikuhappy2010 Wed, 07/16/2008 - 11:37

No I m not using Failover. Let me clear my setup again. I have two ASA FW and Two ISP Links.

Ist ISP Links

IInd ISP Link

Inside Network

Now I configure one link on outside interface of first FW and second link on second FW outside Interface. And First Firewall interface IP address is and second FW Inside Interface IP is and both interfaces are connected with Cisco Router which has three interfaces. Router Conf is in below

Eth 0 Which is connected Ist FW

Eth 1 Which is connected IIst FW

Eth 3 which is connected my inside Network.

Static route using here o.o.o.o o.o.o.o

Now I create Site to site tunnel from both FW with other site which peer IP is In this scenario, will the load balancing work between ISP links and Site to Tunnel. Thanks

nikuhappy2010 Wed, 07/16/2008 - 12:05

Hi, Is it possible? Please let me know if want to know anything else. Thanks

a.alekseev Wed, 07/16/2008 - 12:37

possible for load balancing between and internet

but you can't do loadbalancing between and remote side.

nikuhappy2010 Wed, 07/16/2008 - 21:23

What would be happen, if I add route command for return traffic for inside network ( from remote site. Will it communicate. Thanks

a.alekseev Thu, 07/17/2008 - 01:35

I think you can lose half of the traffic.

The problem will be on remote site.

And you need to have identical crypto access-lists for different peers (ASA1, ASA2).

nikuhappy2010 Thu, 07/17/2008 - 02:04

yeah, its not an issue. I will make crypto settings and exempt the network for both ASA FW. What wud be the issue if i go with similar configuration. I havn't two ISP lines otherwise I wud test it. Can anyone test this scenario.. Thanks


This Discussion