Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

load balancing on ASA

Hi forum,

I am connecting one serial line(through a router) one end to the PIX, and another SDSL line(coming in as ethernet) to my ASA5510. Can I just use static route to load balance over the two links?

Thank you,

py

7 REPLIES

Re: load balancing on ASA

The 2 links looks parallel where 1st one is via router-PIX-internal_network, while others via SDSL-ASA-internal_network. I guess PIX and ASA are running separately/parallel.

To load balance outbound traffic via both links, you might need link load-balance devices like GSS or F5.

Or you can probably define/divide certain subnet to use PIX and ASA to go out:

ASA:

nat (inside) 1

global (outside) 1

PIX:

nat (inside) 1

global (outside) 1

You can also use ASA to achieve link redundancy (not load balance) with static route method if both links are terminated to ASA (but you may not want to waste the PIX here..). See Cisco doc below:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a00806403ec.html#wp1090243

HTH

AK

New Member

Re: load balancing on ASA

Hi AK,

Thanks for your reply and sorry if my message is not clear. the links are like this:

serial>router>asa1>LAN

sdsl>asa1>LAN

they are both using the same ASA. Why are you saying it is not possible to load balance between the 2 links? will the traffic takes the two paths if the static routes are pointed to the two paths? will routing protocol help(OSPF)?

Thanks,

py

New Member

Re: load balancing on ASA

When the PIX/ASA v7 software was first released, it was published that it would not load balance across two equal paths. http://www.ciscotaccc.com/security/showcase?case=K11000921

It was then later released that it will load balance if the paths are learned via ospf. (can't find that document)

I have this configured in our environment and it appears to work.

pix#sh route

O*E2 0.0.0.0 0.0.0.0 [110/1] via X.X.X.Y, 319:02:06, outside

[110/1] via X.X.X.Z, 319:02:06, outside

New Member

Re: load balancing on ASA

Thanks much. This is really good. I will try to find the documents to support that. My vendor is asking me to use RIP, according to them, it will achieve load sharing by using RIP.

New Member

Re: load balancing on ASA

I haven't get the ISP to install the new lines, so I tried it on my existing line(one ADSL the other SDSL).

I did the redundancy configuration:

http://cco.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

however, instead of using the global NAT, i configure 2 static NAT for my ISA proxy server which serve all my clients internet connection.

When I remove my SDSL link, it works after a break and failover to the ADSL link, i can still ping public IP from the ASA. but my clients connection fail, and my GRE tunnel also fail. I have to manually reboot the ASA to get the GRE tunnel up, and reboot the ISA proxy too to get the links back again.

Attached is my layout, How do I make sure my GRE and clients internet connection through the proxy server works when I have this redundant links. I am using static route right now.

New Member

Re: load balancing on ASA

You can do the equal cost load multipath balancing with OSPF in PIXOS 6.3.

In 7.x it will also do load balancing across 3 equal cost static routes.

Here is the document you may have been looking for.

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/ip.htm#wp1047900

New Member

Re: load balancing on ASA

Hi mlitka,

Thanks much for the suggestion.

I am currently using 2 static routes with unequal cost method, with the ASA sending SMTP packets to a remote IP.

I notice that when the Leased line failed, it takes around 40 seconds to 1 minutes to fail over to the SDSL line, but the failback from SDSL to the leased line takes around 20 seconds, Is there a way to improve that?

If I go for the OSPF method, since I have two unequal speed lines, one 2MB, one 1.5MB. when OSPF load balance between this 2 lines, will it cause the traffic to slow down?

thanks much,

paul

691
Views
0
Helpful
7
Replies
CreatePlease to create content