Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

HA and VPN load balancing

Dear Sir,

We want to use SSL VPN, but Cisco document says if you enable VPN, only A/S is available. In that case only one of them is working, how can we load balance the SSL VPN connection? Is there any document to clarify this?

Also, for VPN load balancing, is the heart beat link still reqired? Or we can create one VLAN for clustered devices?



Re: HA and VPN load balancing

SSL VPNs cannot paritcipate in Load Balancing.

New Member

Re: HA and VPN load balancing

But the ASA datasheet has the following description...


Businesses can extend their SSL and IPsec VPN capacity to support a larger number of mobile workers, remote sites, and business partners. Businesses can scale up to 750 SSL VPN peers on each Cisco ASA 5520 by installing an SSL VPN

upgrade license; 750 IPsec VPN peers are supported on the base platform. VPN capacity and resiliency can also be

increased by taking advantage of the Cisco ASA 5520's integrated VPN clustering and load-balancing capabilities. The Cisco ASA 5520 supports up to 10 appliances in a cluster, supporting a maximum of 7500 SSL VPN peers or 7500 IPsec VPN

peers per cluster.


Any idea?

New Member

Re: HA and VPN load balancing

I believe that whilst you can indeed configure the ASA in a VPN cluster and have load balancing they are then dedicated VPN termination devices and not firewalls. Put them on the same VLAN, assign a cluster IP (public) and away you go.

Here's a quick learning module on how to configure')">

Re: HA and VPN load balancing

Load balancing is effective only on remote sessions initiated with the Cisco VPN Client (Release 3.0 and later), the Cisco VPN 3002 Hardware Client (Release 3.5 and later), or the ASA 5505 operating as an Easy VPN Client. All other clients, including LAN-to-LAN connections, can connect to a security appliance on which load balancing is enabled, but the cannot participate in load balancing.

CreatePlease to create content