Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Load Balancing feature can possible between ISP and Tunnels on ASA?

Hi,

I have some idea which may be useful in the term of load balancing between tunnels and ISP links...just need to know is it possible or not....

I want to make a network like this with using two links.

Ist Link ISP Router A----ASA FW A--Inside Router A------Inside Network/DMZ A

IIst Link ISP Router B----ASA FW A--Inside Router A------Inside Network/DMZ A

ASA FW A outside Interace 1.1.1.1 connected with Ist ISP Link

ASA FW A outside 1 Interace 2.2.2.2 connected with IInd ISP Link

ASA Interface Inside 192.168.14.1

ASA Interface Inside1 192.168.13.1

Both Inside Interface are connected with Router Eth port and the 3 rd port of router is using for Inside Network (192.168.12.0)

I have created Tunnel on ASA to connect the DC network by configuring both Outsie interface. And both tunnel are working fine If i access by .13.0 or .14.0 network.

Now I set the comand on Inside router:-

Ip route 0.0.0.0 0.0.0.0 192.168.13.1

Ip route 0.0.0.0 0.0.0.0 192.168.14.1

Now in this scenario, can load balancing configre for both tunnels. I add the route comand on FW to tell the ASA for incoming traffic.

192.168.12.0 255.255.255.0 192.168.13.2

192.168.12.0 255.255.255.0 192.168.14.2

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Load Balancing feature can possible between ISP and Tunnels

"Now wud to like to know if i use static routes instead of dynamic routing then why it wont be best practise"

Sure. Lets take the following example

Ip route 0.0.0.0 0.0.0.0 192.168.13.1

This route will stay in the table as long as the inside router's relevant interface is Up. And if interface goes down, this route will get passive. Thats great. If that interface fails, all traffic will be routed through other route only.

But if something happens to link between ASA and ISP router, Or ISP routers internet link goes down, or Site-To-Site VPN tunnel goes down, Inside router will have no idea if they are down or not and keep the route which is actually dead at far end, and your traffic will be load balanced which the packets that are routed wia that dead route will be dropped.

Dynamic routing protocols are a piece of cake. I wrote the necessary commands in the topology that I drew for you (I hope you downloaded it).

Can you show me any example which is related to Interested Traffic as you mentioned that I cant specify the Intersting traffic for both Tunnels. Are you talking about this entries on remote site?? Thanks..

Yes I am talking about remote site. Here is an example

access-list extended Crypto_10_Interesting

permit ip 172.20.100.0 0.0.0.255 192.168.12.0 0.0.0.255

access-list extended Crypto_20_Interesting

permit ip 172.20.100.0 0.0.0.255 192.168.12.0 0.0.0.255

crypto map outside map 10 ipsec-isakmp

set peer ISPrAPublicIP

set transform-set XXX-XXX-XXX

match address Crypto_10_Interesting

crypto map outside map 10 ipsec-isakmp

set peer ISPrAPublicIP

set transform-set XXX-XXX-XXX

match address Crypto_20_Interesting

Both tunnels are established to get to the 192.168.12.0 network, thats why the interesting traffic is destined for the same network. Also source is the same. Now how will router know which crypto map entry to trigger when the matched traffic arrives? It cant! Some scruffy tweaks can me made to that config like PNAT at remote site or defining different sources, but this is really not the best practise.

22 REPLIES

Re: Load Balancing feature can possible between ISP and Tunnels

Hello Vinay,

Unfortunately, ASA pair can not Load Balance in Active/Active mode. But you have 3 routers and 2 firewalls, so we have options. Here is my suggestion

Establish GRE VPN Tunnel with remote site with both outside routers A and B. Configure EIGRP at remote site and advertise the remote site network from both tunnel interfaces. Also configure your ASAs and Inside Router A in same AS. Now your Inside router gets the same remote network advertised from ASA1 and ASA2, but only one is installed in routing table. Issue "variant 2" command in EIGRP config of inside router and now the remote network is load-balanced.

Regards

New Member

Re: Load Balancing feature can possible between ISP and Tunnels

Well, in my posted scenario I am not using active/active failover. Both ASA are not connected with each other. Thanks

New Member

Re: Load Balancing feature can possible between ISP and Tunnels

I m using only two routers and both ASA inside links are connected with inside router.

Re: Load Balancing feature can possible between ISP and Tunnels

Thats OK, so you can apply my suggestion.

New Member

Re: Load Balancing feature can possible between ISP and Tunnels

So, its not possible Load balancing as per my scenario... Can you think about it again. Thanks

New Member

Re: Load Balancing feature can possible between ISP and Tunnels

pl respond,,

Re: Load Balancing feature can possible between ISP and Tunnels

If you terminate the tunnels at ISP routers, this is possible with the diagram and config I attached

New Member

Re: Load Balancing feature can possible between ISP and Tunnels

Request :- wud like to ask last question, why the load balancing can't be configured in my scenario. I hope, you will show all reasons and my confusion point will be over. Thanks and I appreciate...

New Member

Re: Load Balancing feature can possible between ISP and Tunnels

?? :)

Re: Load Balancing feature can possible between ISP and Tunnels

Load balancing actually can be done with the method you mention, but load balancing with static routes instead dynamic routing protocols is not the best practise.

Re: Load Balancing feature can possible between ISP and Tunnels

Also if you choose your way, you again need 2 IPSEC VPN connections at remote office. you are going to have to specify the same interesting traffic ACL for both crypto map entries, and you can not specify the same interesting traffic for two different tunnels, you may have to apply policy NAT to change the IP scope at one of the ASAs

New Member

Re: Load Balancing feature can possible between ISP and Tunnels

Well, I am very much impressed by your answers. Lot of confusion part has been removed. Now wud to like to know if i use static routes instead of dynamic routing then why it wont be best practise. Reason being, I havnt configured the Dynamic routing as yet. Second:- Can you show me any example to configure the policy nat so that I cud test and go into the production. Thanks

New Member

Re: Load Balancing feature can possible between ISP and Tunnels

??

New Member

Re: Load Balancing feature can possible between ISP and Tunnels

Can you show me any example which is related to Interested Traffic as you mentioned that I cant specify the Intersting traffic for both Tunnels. Are you talking about this entries on remote site?? Thanks..

Re: Load Balancing feature can possible between ISP and Tunnels

"Now wud to like to know if i use static routes instead of dynamic routing then why it wont be best practise"

Sure. Lets take the following example

Ip route 0.0.0.0 0.0.0.0 192.168.13.1

This route will stay in the table as long as the inside router's relevant interface is Up. And if interface goes down, this route will get passive. Thats great. If that interface fails, all traffic will be routed through other route only.

But if something happens to link between ASA and ISP router, Or ISP routers internet link goes down, or Site-To-Site VPN tunnel goes down, Inside router will have no idea if they are down or not and keep the route which is actually dead at far end, and your traffic will be load balanced which the packets that are routed wia that dead route will be dropped.

Dynamic routing protocols are a piece of cake. I wrote the necessary commands in the topology that I drew for you (I hope you downloaded it).

Can you show me any example which is related to Interested Traffic as you mentioned that I cant specify the Intersting traffic for both Tunnels. Are you talking about this entries on remote site?? Thanks..

Yes I am talking about remote site. Here is an example

access-list extended Crypto_10_Interesting

permit ip 172.20.100.0 0.0.0.255 192.168.12.0 0.0.0.255

access-list extended Crypto_20_Interesting

permit ip 172.20.100.0 0.0.0.255 192.168.12.0 0.0.0.255

crypto map outside map 10 ipsec-isakmp

set peer ISPrAPublicIP

set transform-set XXX-XXX-XXX

match address Crypto_10_Interesting

crypto map outside map 10 ipsec-isakmp

set peer ISPrAPublicIP

set transform-set XXX-XXX-XXX

match address Crypto_20_Interesting

Both tunnels are established to get to the 192.168.12.0 network, thats why the interesting traffic is destined for the same network. Also source is the same. Now how will router know which crypto map entry to trigger when the matched traffic arrives? It cant! Some scruffy tweaks can me made to that config like PNAT at remote site or defining different sources, but this is really not the best practise.

New Member

Re: Load Balancing feature can possible between ISP and Tunnels

Brilliant.... Thanks and I appreciate. Can you send me any example if I use the load balancer device like linkproof then able to make Load Balancing between Links and Tunnels.

Re: Load Balancing feature can possible between ISP and Tunnels

You are welcome :)

I have experienced Drytek and Cisco Linksys load balancers. But they again have the same problem I previously addressed. They can not understand the status of the link connected to far end device, and they run a service called NSD (Network Service Detection) (name depends on brand, but the function is same) to understand if the link is up or down. Long story short, you specify a destination address to ping (or some other services) in predefined intervals, if %x is lost, load balancer stops sending data over that link, untill ping becomes responsive. Much like ip sla monitors in cisco routers and firewalls.

In general, Load Balancer is deployed as ISP routers connected to LB and inside clients or switch to LB, but in your scenario, your inside router should be replaced with LB two ASAs connected to LB and inside switch to LB. NSDs can be set for pinging a device in remote site in intervals to understand if the tunel is up, and can be set to ping the gateway of your ISP router to detect internet connection failures.

New Member

Re: Load Balancing feature can possible between ISP and Tunnels

If I go with the same details as you mentioned then will it be a best practise. Can you post a network diagrame with IP details so that it will be more easier to understand all entire things. Thanks

New Member

Re: Load Balancing feature can possible between ISP and Tunnels

If i use dynamic routing protocols instead of static routed then the local site issue will be resolved.. Is it right????? But the prblem is on the remote location. Can you give me any other suggestion which well be use for best practise and cud be implement in the production. Thanks...

Re: Load Balancing feature can possible between ISP and Tunnels

use GRE and do loadbalancing on the routers...

Re: Load Balancing feature can possible between ISP and Tunnels

Best practise will be my very first advise with diagram attached. Since interesting traffic ACL will be based on the gre traffic created to different destinations, there wont be any issues.

Re: Load Balancing feature can possible between ISP and Tunnels

you are using standalone ASAs,

you cannot loadbalance through them because of asymmetric routing.

session goes through one ASA and return traffic goes though another.

This contradict with a statful inspection.

In this case you must use contexts and ASR-group on ASAs

300
Views
0
Helpful
22
Replies
CreatePlease to create content