×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA Site-to-Site VPN Loadbalancing

Unanswered Question
Jan 29th, 2014
User Badges:

Hello everyone,


Im not sure if loadbalancing would address this challenge


We have vpn connections to amazon web sevices (aws). I'm inquiring this as a result of some limitation of aws vpn.

We have two isp both active, but only one default route at any given time. But this doesn't mean that the second isp can't pass traffic out and receive traffic in from that interface. Due to this nature, if we go in and create a customer gateway (aws term for vpn peer) pointing to our second isp, a tunnel will form (active) in that second isp. AWS now has two vpn active tunnel with the same remote local network. When a host in our local network sends traffic to vpc (this is aws network), our firewall will use the tunnel formed in the primary isp. But since there's also a tunnel active in our second isp, there are times aws/vpc sends the return traffic to that second isp tunnel, resulting to a security association mismatch. To prevent that sporadic connection issue, we took out the customer gateway (aws term for vpn peer) pointing to our secondary isp and remove that tunnel-group from our firewall so that there will be only one path. The challenge now is, in the event of primary isp outage, we loose our vpn connection but we still have internet connection being served by the second isp. We want to leverage this second isp to form the backup tunnel during such event. But will not be used during normal operation (both isp are up).


I got this response from aws support.


"At the moment the AWS VPC would return the traffic down all the active VPNs and cannot be bound to a specific VPN.


This could have been achieved using the BGP by changing the AS_PATH parameter but since Cisco's ASA does not support the BGP, this cannot be done in this case."


I'm thinking of some sort of loadbalacing or does asa has any other solution that will address this? Or any solution that will meet aws requirement (does asa supports BGP)?


thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marius Gunnerud Sat, 02/01/2014 - 09:29
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

Is there any reason why you don't want to use an Active/Standby setup with your 2 ASAs? or is it that you can't due to some company policy?


If you have the ASAs set up as an Active/standby then you can sync state between the two ASAs and you should not have noticable down time depending on the type of traffic you are sending over the VPN.


Another option would be to setup the ASAs in an Active/Active configuration, but this will require the use of contexts on both ASAs.  In this scenario you would have one active context for ISP1 and the standby context will be configured on the ASA connected to ISP2.  Then likewise, there will be an active context on the ISP2 ASA and its standby configured on ISP1 ASA.

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ha_active_active.html



--
Please remember to rate and select a correct answer

Julio Carvajal Sat, 02/01/2014 - 19:28
User Badges:
  • Purple, 4500 points or more

Hello JonJon,


Load-Balancing over different interfaces not supported (You could do some sort of it using NAT but that's basically tweaking the ASA NAT behavior and I would not recommended for a real network deployment).


The ASA does not support/Establish BGP sessions, It only allows BGP passthrough.


Now if am not sure I get this but if you have an ASA with 2 interfaces connecting to 2 different ISPs (Using Cisco SLA) you can have 1 active link bound with those 2 VPNs and in case the Interface goes down the backup interface will come back and build/negotiate the VPN tunnel while the primary one is down.


Is this what you are looking for? Not sure I get it bud


Looking for some Networking Assistance? 
Contact me directly at [email protected]

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Jonjon Mata Mon, 02/03/2014 - 17:48
User Badges:

Hi Julio,


IP SLA and route backup is what im using to utilize the secondary isp. Actually, aws provides 2 peers to be configured in my asa per interface for redundancy. This redundancy poses the issue because aws sends traffic/return traffic down to all active tunnel. If the asa initiated a traffic, let say it uses the first tunnel to send traffic up aws, sometimes aws sends the return traffic down to the other active tunnel. When this happen i'll see allot of security association mismatch error in asa logs then all connection to aws will be disconnected.

Checking the ipsec statistic, i can see increments in packet encryption but decryption stops.


If asa doens't support site-to-site vpn loadbalancing by design, im looking to leverage some scripting but initially i need to have a passwordless login to asa using key-based or certificate authentication / login. Do you have any idea how to set this up in asa, or does even asa supports this?


Thanks,

Jon

Gesha2424 Wed, 07/30/2014 - 14:52
User Badges:

A crazy suggestion to test out - have more specific routes for your primary tunnel compared to your secondary one. Let's say have 192.168.0.0/24 for the secondary and 192.168.0.0/25 + 192.168.0.128/25 for primary. I've never used AWS so can't comment on whether it will work or not, just a half a year late suggestion...

Actions

This Discussion