cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
17775
Views
0
Helpful
9
Replies

ASA 5510 - Load Balancing Traffic over two ISPs

Jesse Shumaker
Level 1
Level 1

I have two isp's going out from my office and was wondering if there is a way to load balance all the traffic. meaning I have an interface dedicated to each line and I would like to make it so that the asa will send any traffic over isp1 then with the next session send the traffic over isp2 so they are balancing the load and if one conncetion drops send all traffic to the other isp's connection. I've seen articles about load balancing but they have been with vpn's or another router in front. I've seen articles doing this using sla tracking but on my 5510 using either the cli or the asdm I could not find howto configure this. Perhaps it's not included in the particlar ios i'm running.

Let me know if there is a way to do this solution on my 5510. here are the exact specs of the firewall using sh ver.

Cisco Adaptive Security Appliance Software Version 7.0(8)
Device Manager Version 5.0(8)

Compiled on Sat 31-May-08 23:48 by builders
System image file is "disk0:/asa708-k8.bin"
Config file at boot was "startup-config"

CiscoASA5510 up 4 days 20 hours

Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CNlite-MC-Boot-Cisco-1.2
                             SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: Ethernet0/0         : address is 0021.5537.a424, irq 9
1: Ext: Ethernet0/1         : address is 0021.5537.a425, irq 9
2: Ext: Ethernet0/2         : address is 0021.5537.a426, irq 9
3: Ext: Not licensed        : irq 9
4: Ext: Management0/0       : address is 0021.5537.a428, irq 11
5: Int: Not used            : irq 11
6: Int: Not used            : irq 5

Licensed features for this platform:
Maximum Physical Interfaces : 4
Maximum VLANs               : 10
Inside Hosts                : Unlimited
Failover                    : Disabled
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
Security Contexts           : 0
GTP/GPRS                    : Disabled
VPN Peers                   : 50

This platform has a Base license.

Serial Number: xxxxxxxx
Running Activation Key: xxxxxxx xxxxxx xxxxxxx xxxxxxx xxxxxxxxx

Configuration register is 0x1
Configuration last modified by enable_15 at 17:04:50.032 MST Fri Jan 3 2003

5 Accepted Solutions

Accepted Solutions

Maykol Rojas
Cisco Employee
Cisco Employee

Hello Jesse,

No, the ASA firewall does not support load balancing, here is a document that can give you more information about it

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#q6i

What you can do is to use the second ISP as a backup only.

Hope this helps.

Mike

Mike

View solution in original post

Hi,

Yup, here is a document that explains how to do it step by step

ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Hope it helps.

Mike

Mike

View solution in original post

Hello,

Thanks for posting, on the document states that you will need to use version 7.2.

"You can also use this configuration with the Cisco ASA 5500 Series       Security Appliance version 7.2(1)"

Here is how you can upgrade the code

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008067e9f9.shtml

Hope it helps

Mike


Mike

View solution in original post

Hello,

Follow this path

Go to Cisco.com

Select Support

Download software

In the box type ASA

Select ASA 5510

Then select ASA security appliance Software

Select the image you want (Higher than 7.2 so you can use SLA)

Hope it helps

Mike

Mike

View solution in original post

Hello,

If the 2 links were on the same network over the same interface, it will distribute or "load balance" (not really load balancing) the traffic between the 2 equal cost routes. If they are on different interfaces (ISP's) only the first one that you configure is going to take precedence. If the primary ISP goes down it will not take the second one.

Mike

Mike

View solution in original post

9 Replies 9

Maykol Rojas
Cisco Employee
Cisco Employee

Hello Jesse,

No, the ASA firewall does not support load balancing, here is a document that can give you more information about it

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#q6i

What you can do is to use the second ISP as a backup only.

Hope this helps.

Mike

Mike

So the failover is done with sla monitor/tracking correct? How is this setup and how can I know if my 5510 supports this?

thanks

Hi,

Yup, here is a document that explains how to do it step by step

ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Hope it helps.

Mike

Mike

Where would I goto within the cli to input the sla commands? It doesn't seem like this asa has that ability. I've gone into the cli within global config and have not seen the commands anywhere. The asdm also doesn't not have them visible. Where can I check to see if this asa 5510 can use sla monitoring? I'm wondering if it's the IOS i'm running. here is my sh ver. thanks for all your help

Cisco Adaptive Security Appliance Software Version 7.0(8)
Device Manager Version 5.0(8)

Compiled on Sat 31-May-08 23:48 by builders
System image file is "disk0:/asa708-k8.bin"
Config file at boot was "startup-config"

CiscoASA5510 up 4 days 22 hours

Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CNlite-MC-Boot-Cisco-1.2
                             SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: Ethernet0/0         : address is 0021.5537.a424, irq 9
1: Ext: Ethernet0/1         : address is 0021.5537.a425, irq 9
2: Ext: Ethernet0/2         : address is 0021.5537.a426, irq 9
3: Ext: Not licensed        : irq 9
4: Ext: Management0/0       : address is 0021.5537.a428, irq 11
5: Int: Not used            : irq 11
6: Int: Not used            : irq 5

Licensed features for this platform:
Maximum Physical Interfaces : 4
Maximum VLANs               : 10
Inside Hosts                : Unlimited
Failover                    : Disabled
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
Security Contexts           : 0
GTP/GPRS                    : Disabled
VPN Peers                   : 50

This platform has a Base license.

Serial Number: JMX1231L10H
Running Activation Key: xxxx xxxxx xxxxx
Configuration register is 0x1
Configuration last modified by enable_15 at 17:04:50.222 MST Fri Jan 3 2003

Hello,

Thanks for posting, on the document states that you will need to use version 7.2.

"You can also use this configuration with the Cisco ASA 5500 Series       Security Appliance version 7.2(1)"

Here is how you can upgrade the code

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008067e9f9.shtml

Hope it helps

Mike


Mike

thanks that is what I need. Now where can I get the IOS upgrades for this?

thanks

Hello,

Follow this path

Go to Cisco.com

Select Support

Download software

In the box type ASA

Select ASA 5510

Then select ASA security appliance Software

Select the image you want (Higher than 7.2 so you can use SLA)

Hope it helps

Mike

Mike

Just curious, why could I not make two default routes to each isp like the following? would the router only take the first entry and move all traffic over this default route or would it see to two equal cost routes and distribute the traffic over the two.

route Cox_Primary 0.0.0.0 0.0.0.0 10.0.0.1 1

route Qwest_Backup 0.0.0.0 0.0.0.0 10.254.254.1 1

Hello,

If the 2 links were on the same network over the same interface, it will distribute or "load balance" (not really load balancing) the traffic between the 2 equal cost routes. If they are on different interfaces (ISP's) only the first one that you configure is going to take precedence. If the primary ISP goes down it will not take the second one.

Mike

Mike
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: