ASA VPN Cluster Algorithm

nabil.netapp · ‎12-16-2008

Hello all - Can someone please explain to me how the ASA VPN cluster decision happens? We have two ASAs in cluster, and it seems the master is handing all the connections to the backup and not accepting any itself.

I have searched all the documentations and bunch of books with no luck, I am at lost.

Thank you,

Nabil

nabil.netapp · ‎12-17-2008

Hello all - I got the answer today, I really don't understand why Cisco doesn't post this valuable information anywhere.

Load balancing algorithm

The master maintains a sorted list of secondary cluster members in ascending order of inside IP address.

Load is computed as an integer percentage (# of active/max sessions) supplied by each secondary cluster member.

Master re-directs IPSec/SSL VPN tunnel to a device with the lowest load first until it is 1% higher than the rest.

Master re-directs to itself only when all the secondary cluster members are 1% higher than the master.

For example, if there is one master and two secondary cluster members:

All nodes start with 0%.

The master re-directs tunnels to the first secondary (with lower inside IP address) until it reaches 1%.

Then it re-direct tunnels to the second secondary (with higher inside IP address) until it, too, reaches 1%.

The master re-directs tunnels to itself only when the two secondary's both have reached 1% load.

The whole cycle repeats when all 3 devices reach 1% load..

dianewalker · ‎12-23-2008

Thanks for posting your findings. I had the same question, too and was not able to find the answers. May I ask you where you got this information from? Thanks.

nabil.netapp · ‎12-23-2008

Hello there...Our Cisco reseller SE got it from the ASA BU.

Nabil