Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Failover vs. Load Balancing

I am configuring two ASA 5520's for VPN services only. I see I can put them in Active/Standby failover and/or VPN load balancing.

Woulnd't load balancing make it Active/Active by default? I suppose the config won't be copied over to the other node if I don't do failover though.

Can you do VPN load balancing on an Active/Standby cluster? Sounds wierd.

Any thoughts on which way to go?


Re: Failover vs. Load Balancing

Hi .. with 2 ASAs .. In you scenario I believe you could only have 1 option:

1.- configure a cluster between the 2 ASAs for VPN load balancing. The ASAs will be on single mode. No failover configuration. The cluster set up is supported on single mode only and it does need the devices to be forwarding traffic which does not happened on a failover Active/Standby set up. You would need 2 pairs of ASAs if you want VPN load balanced and failover Active/Standby.

below a brief explanation ..

" If you have a remote-access configuration in which you are using two or more security appliances or

VPN Concentrators connected on the same network to handle remote sessions, you can configure these

devices to share their session load. This feature is called load balancing. To implement load balancing,

you group together logically two or more devices on the same private LAN-to-LAN network, private

subnet, and public subnet into a virtual cluster.

All devices in the virtual cluster carry session loads. Load balancing directs session traffic to the least

loaded device in the cluster, thus distributing the load among all devices. It makes efficient use of system

resources and provides increased performance and high availability.

One device in the virtual cluster, the virtual cluster master, directs incoming traffic to the other devices,

called secondary devices. The virtual cluster master monitors all devices in the cluster, keeps track of

how busy each is, and distributes the session load accordingly. The role of virtual cluster master is not


Cisco Security Appliance Command Line Configuration Guide


Chapter 25 Setting General IPSec VPN Parameters

Understanding Load Balancing

tied to a physical device; it can shift among devices. For example, if the current virtual cluster master

fails, one of the secondary devices in the cluster takes over that role and immediately becomes the new

virtual cluster master "

I hope it helps .. please rate it if it does !!

CreatePlease to create content