I have a couple of questions about this and hope you might be able to assist me.
1.- Are VPN load balancing and failover (Active/Active) mutually exclusive ..? I mean they can't be used at the same time correct ..?
2.- How does the ASA handle the return traffic from the Internal LAN towards the remote client .. Because the cluster only requires ONE public virtual IP address, which will work for incoming packets .. but what about the return traffic which has knowledge of the DHCP scope's default gateway IP address only .. ? How gets the returned packet redirected from the default gateway IP address to the respective ASA internal IP address .?
3.- VPN load balancing only applies to remote clients using easy VPN technology (easy vpn client, hardware client , pIX using easy vpn client etc ) and does not work with static LAN-LAN tunnel .. correct ..?
1. You are correct - They cant be used at the same time.
2. When the VPN client connects to the Virtual IP address, the connection is sent to the active ASA by re-directing the connection of the client to the correct IP address of the active ASA. So, when the connection gets established its really to the active ASA external IP address.
2.- I know that .. my question is in regards the return packets .. for example if I have the below IP schema:
ASA1: Public 184.108.40.206
ASA2: Public 220.127.116.11
Cluster virutal IP: 18.104.22.168
Default gateway for segment 192.168.1.0 is 192.168.1.1
Let's say that a vpn client tries to connect and the cluster instructs the client to connect to ASA2 22.214.171.124. The packets reach the internal server at 192.168.1.100. The internal server then sends the return packets back to the client by forwarding them to its default gateway which is 192.168.1.1 (ASA1). Here is my question .. how does the cluster handles this because the return packet are supposed to be directed to ASA2 192.168.1.2
So, there should be some kind of a routing device on the internal network that can run OSPF or RIP and your clients IP address will be populated correctly to the ASA that is terminating the connection.
Hi guys. We, too are trying to use Failover VPN tunnels. When the first ISP goes down, we are using the TRACK command to use the 2nd ISP. HOWEVER, when that occurs we cannot see the 2nd tunnel [backup tunnel] come up to the remote peer. :( Any ideas?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...