10-31-2010 01:04 PM - edited 03-11-2019 12:02 PM
I have two isp's going out from my office and was wondering if there is a way to load balance all the traffic. meaning I have an interface dedicated to each line and I would like to make it so that the asa will send any traffic over isp1 then with the next session send the traffic over isp2 so they are balancing the load and if one conncetion drops send all traffic to the other isp's connection. I've seen articles about load balancing but they have been with vpn's or another router in front. I've seen articles doing this using sla tracking but on my 5510 using either the cli or the asdm I could not find howto configure this. Perhaps it's not included in the particlar ios i'm running.
Let me know if there is a way to do this solution on my 5510. here are the exact specs of the firewall using sh ver.
Cisco Adaptive Security Appliance Software Version 7.0(8)
Device Manager Version 5.0(8)
Compiled on Sat 31-May-08 23:48 by builders
System image file is "disk0:/asa708-k8.bin"
Config file at boot was "startup-config"
CiscoASA5510 up 4 days 20 hours
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: Ethernet0/0 : address is 0021.5537.a424, irq 9
1: Ext: Ethernet0/1 : address is 0021.5537.a425, irq 9
2: Ext: Ethernet0/2 : address is 0021.5537.a426, irq 9
3: Ext: Not licensed : irq 9
4: Ext: Management0/0 : address is 0021.5537.a428, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : 4
Maximum VLANs : 10
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
VPN Peers : 50
This platform has a Base license.
Serial Number: xxxxxxxx
Running Activation Key: xxxxxxx xxxxxx xxxxxxx xxxxxxx xxxxxxxxx
Configuration register is 0x1
Configuration last modified by enable_15 at 17:04:50.032 MST Fri Jan 3 2003
Solved! Go to Solution.
10-31-2010 01:35 PM
Hello Jesse,
No, the ASA firewall does not support load balancing, here is a document that can give you more information about it
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#q6i
What you can do is to use the second ISP as a backup only.
Hope this helps.
Mike
10-31-2010 01:46 PM
Hi,
Yup, here is a document that explains how to do it step by step
Hope it helps.
Mike
10-31-2010 04:45 PM
Hello,
Thanks for posting, on the document states that you will need to use version 7.2.
"You can also use this configuration with the Cisco ASA 5500 Series Security Appliance version 7.2(1)"
Here is how you can upgrade the code
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008067e9f9.shtml
Hope it helps
Mike
10-31-2010 06:55 PM
Hello,
Follow this path
Go to Cisco.com
Select Support
Download software
In the box type ASA
Select ASA 5510
Then select ASA security appliance Software
Select the image you want (Higher than 7.2 so you can use SLA)
Hope it helps
Mike
11-01-2010 05:42 AM
Hello,
If the 2 links were on the same network over the same interface, it will distribute or "load balance" (not really load balancing) the traffic between the 2 equal cost routes. If they are on different interfaces (ISP's) only the first one that you configure is going to take precedence. If the primary ISP goes down it will not take the second one.
Mike
10-31-2010 01:35 PM
Hello Jesse,
No, the ASA firewall does not support load balancing, here is a document that can give you more information about it
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#q6i
What you can do is to use the second ISP as a backup only.
Hope this helps.
Mike
10-31-2010 01:42 PM
So the failover is done with sla monitor/tracking correct? How is this setup and how can I know if my 5510 supports this?
thanks
10-31-2010 01:46 PM
Hi,
Yup, here is a document that explains how to do it step by step
Hope it helps.
Mike
10-31-2010 03:47 PM
Where would I goto within the cli to input the sla commands? It doesn't seem like this asa has that ability. I've gone into the cli within global config and have not seen the commands anywhere. The asdm also doesn't not have them visible. Where can I check to see if this asa 5510 can use sla monitoring? I'm wondering if it's the IOS i'm running. here is my sh ver. thanks for all your help
Cisco Adaptive Security Appliance Software Version 7.0(8)
Device Manager Version 5.0(8)
Compiled on Sat 31-May-08 23:48 by builders
System image file is "disk0:/asa708-k8.bin"
Config file at boot was "startup-config"
CiscoASA5510 up 4 days 22 hours
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: Ethernet0/0 : address is 0021.5537.a424, irq 9
1: Ext: Ethernet0/1 : address is 0021.5537.a425, irq 9
2: Ext: Ethernet0/2 : address is 0021.5537.a426, irq 9
3: Ext: Not licensed : irq 9
4: Ext: Management0/0 : address is 0021.5537.a428, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : 4
Maximum VLANs : 10
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
VPN Peers : 50
This platform has a Base license.
Serial Number: JMX1231L10H
Running Activation Key: xxxx xxxxx xxxxx
Configuration register is 0x1
Configuration last modified by enable_15 at 17:04:50.222 MST Fri Jan 3 2003
10-31-2010 04:45 PM
Hello,
Thanks for posting, on the document states that you will need to use version 7.2.
"You can also use this configuration with the Cisco ASA 5500 Series Security Appliance version 7.2(1)"
Here is how you can upgrade the code
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008067e9f9.shtml
Hope it helps
Mike
10-31-2010 06:37 PM
thanks that is what I need. Now where can I get the IOS upgrades for this?
thanks
10-31-2010 06:55 PM
Hello,
Follow this path
Go to Cisco.com
Select Support
Download software
In the box type ASA
Select ASA 5510
Then select ASA security appliance Software
Select the image you want (Higher than 7.2 so you can use SLA)
Hope it helps
Mike
10-31-2010 10:35 PM
Just curious, why could I not make two default routes to each isp like the following? would the router only take the first entry and move all traffic over this default route or would it see to two equal cost routes and distribute the traffic over the two.
route Cox_Primary 0.0.0.0 0.0.0.0 10.0.0.1 1
route Qwest_Backup 0.0.0.0 0.0.0.0 10.254.254.1 1
11-01-2010 05:42 AM
Hello,
If the 2 links were on the same network over the same interface, it will distribute or "load balance" (not really load balancing) the traffic between the 2 equal cost routes. If they are on different interfaces (ISP's) only the first one that you configure is going to take precedence. If the primary ISP goes down it will not take the second one.
Mike
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: