SSL VPN through CSS and ASA VPN Load Balancing Logic ?

Unanswered Question
Jan 13th, 2010

Hi all,

We got two ASA5540s. ASA#1 has 5000 IPSEC and 500 SSL license. ASA#2 has only 5000 IPSEC license.

We enabled VPN load balancing on both boxes. They see each other in terms of VPN load balancing configuration.

The problem is, ASA#1 is master in cluster. It does not have any VPN sessions on it, when we try to initiate the first IPSEC VPN connection into the cluster IP, ASA#1 automatically redirects us to ASA#2.

Any one have any explanation to VPN load balancing algorithm of Cisco ASA ?

One more question, is it ok if we load balance SSL VPN (Anyconnect clients) through a Cisco CSS, customer does not prefer to purchase SSL certificates for all IP addresses in the cluster ?

Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dumlutimuralp Mon, 01/18/2010 - 10:40

Hi all,

I have found my answer through a search. Here is the logic :

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

Load is calculated by a % of user load.  There is no preference to stick to box A or box B, this is the only factor taken in to consideration. If you would like to have the user load % increase faster on a device, you will want to tune down the max # of users it can support. It takes 50 users to = 1% load if you are configured to support the full 5K users.

Actions

This Discussion