02-23-2009 11:22 PM
Dear Sir,
I am confused with the failover nad load balancing. We want to use SSL VPN, but Cisco document says if you enable VPN, only A/S is available. In that case only one of them is working, how can we load balance the SSL VPN connection? Is there any document to clarify this?
Thanks.
02-24-2009 03:26 AM
SSL VPN's cannot participate in Load Balancing.
02-24-2009 06:31 PM
But the ASA datasheet has the following description...
==========
Businesses can extend their SSL and IPsec VPN capacity to support a larger number of mobile workers, remote sites, and business partners. Businesses can scale up to 750 SSL VPN peers on each Cisco ASA 5520 by installing an SSL VPN
upgrade license; 750 IPsec VPN peers are supported on the base platform. VPN capacity and resiliency can also be
increased by taking advantage of the Cisco ASA 5520's integrated VPN clustering and load-balancing capabilities. The Cisco ASA 5520 supports up to 10 appliances in a cluster, supporting a maximum of 7500 SSL VPN peers or 7500 IPsec VPN
peers per cluster.
=============
Any idea?
02-24-2009 06:52 PM
ASA CAN do load-sharing regarding SSL VPN. ASA can not do load-sharing with remote access VPN (i.e. Cisco VPN client) or Site-2-Site VPN
02-24-2009 09:10 PM
Thanks for the clarification.
1) Is heartbeat link still required for vpn cluster? If not, how does cluster members recognize each other?
2) How can A/S works with vpn cluster load balancing?
3) Should I connect each ASA to both switches. Or one to one?
Thanks
02-25-2009 01:52 AM
OK then - please explain:-
Cisco Adaptive Security Appliance Software Version 7.2(2)
"Note - Load balancing is effective only on remote sessions initiated with the Cisco VPN Client (Release 3.0 and later), the Cisco VPN 3002 Hardware Client (Release 3.5 and later),
or the ASA 5505 operating as an Easy VPN Client. All other clients, including LAN-to-LAN connections, can connect to a security appliance on which load balancing is enabled, but
the cannot participate in load balancing"
02-25-2009 01:59 AM
Oh and in ASA 8.0(2)
Note Load balancing is effective only on remote sessions initiated with the Cisco VPN Client (Release 3.0 and later), the Cisco VPN 3002 Hardware Client (Release 3.5 and later), or the ASA 5505 operating as an Easy VPN Client. All other clients, including LAN-to-LAN connections, can connect to a security appliance on which load balancing is enabled, but the cannot participate in load balancing.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide