Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Load Balancing VPN Servers

I am looking for a product that can load balance point-to-point or branch office IPSEC tunnels. The topology would be small IPSEC boxes at remote sites building tunnels to a central site with 5 or 6 larger IPSEC boxes. The tunnels from the remote sites should be dynamically set up to any one of the central site VPN servers as directed by a load balancing appliance. Can the 11500 series or any other product provide this functionality?

Cisco Employee

Re: Load Balancing VPN Servers

the 11500 is not a good product for this.

CSS is good for TCP and UDP but not IPSEC or any other ip protocols.

I would suggest IOS SLB on a 7200 or cat6k.

IOS SLB is perfect for loadbalancing with no nating involved.

If you need nating, a CSM is the best choice but you need the cat6k because the CSM is a module of that you insert in the catalyst 6x00.




Re: Load Balancing VPN Servers

Hi Gilles,

I read your reply and think this is quite intresting for a lot of customers. By thinking about this solution I stumbled over several IPSec and routing issues which I would like to discuss.

First of all the IPSec issues I see:

In doing ISO SLB you need to have the destination VPN-peer Configured on every router used as endpoint (e.g. as loopback) to avoid problems with AH right? The other possibility I could think of is to implement this via Server-NAT so that you have a virtual IP-Sec EndPoint and multiple real endings (each the physicalinterface IP of the real VPN-Router) with the problem that you are not allowed to use AH but this isn't used very often.

Now my routing issue:

How do you ensure that packets destined to a certain location are routed to the correct VPN-Endpoint if you are having a corporate network behind the Serverfarm of VPN-Routers?

I hope I explained my questions clearly enough.



Cisco Employee

Re: Load Balancing VPN Servers

We have a specialist of this topic internally and I will forward him your questions.

My personal opinion is that if you don't do server nat, then the devices need to be adjacent to the router so we can access distinguish them basec on the mac address.

If you do nating, first be aware you kill the performance of IOS SLB. Nating means all traffic that needs to be loadbalanced will be software switched.

Then nating with IPSEC won't work with AH as you said. I'll double check if there is no other restriction - what about IKE/ISAKMP ?

I'll get back to you asap.


Community Member

Re: Load Balancing VPN Servers

Gilles, have you found any interesting checks about that topic?

CreatePlease to create content