Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Load balance VPN traffic across three L2 links

I've got two ASA5510s that are connected via three L2 links that are grouped into one Etherchannel. Load balancing isn't working since it is determined by the source/destination ip/mac, and that is always the same. The only ip/mac to talk over the L2 links are the ASAs.

Is there any way to fix load balancing with the current configuration?

If I switch the L2 connections to L3, will that help? There'd then be 3 equal costs static routes between the L3 switches. Each ASA would have point-to-point connection to the L3 switch on it's side and static routes would do all of the routing. Given that it's still the same ip/mac doing all of the talking, will load balancing still work across the three L3 links?

One switch is a 3560 and one is a 3550. Both run 12.2(25)SEE1 IOS. The ASA has a boot image of "asa704-12-k8.bin".

Thanks for any help.

---John Holmes...

New Member

Re: Load balance VPN traffic across three L2 links

These switches won't take the "ip load-sharing per-packet" command on the FE interfaces. I did some tests with another 3550 and 3560 and even though it took the commands, all of the traffic still went over one FE interfact.

I tried different methods of "ip cef load-sharing algorithm", too.

I tried making the two L3 switches OSPF neightbors and even though max-paths was set to 3 and there were 3 equal cost paths to the tunnel destinations on the "ASA"s, all of the traffic flowed over on FE interface between the switches.

The only way I can test this is to open a couple ping windows on a laptop connected to one "ASA", which is really just a router. The two routers have a GRE tunnel through the switches, so the only traffic the switch sees is GRE traffic to/from the same ip/mac. I confirmed this was the only thing going out the interface towards the switch by using "show ip cache flow".

Three trunking ports didn't do any good, either. I assume two of them would have just gone into blocking, anyhow.

Thanks for any help. :)