12-16-2008 08:01 PM
Hello all - Can someone please explain to me how the ASA VPN cluster decision happens? We have two ASAs in cluster, and it seems the master is handing all the connections to the backup and not accepting any itself.
I have searched all the documentations and bunch of books with no luck, I am at lost.
Thank you,
Nabil
12-17-2008 10:29 AM
Hello all - I got the answer today, I really don't understand why Cisco doesn't post this valuable information anywhere.
Load balancing algorithm
The master maintains a sorted list of secondary cluster members in ascending order of inside IP address.
Load is computed as an integer percentage (# of active/max sessions) supplied by each secondary cluster member.
Master re-directs IPSec/SSL VPN tunnel to a device with the lowest load first until it is 1% higher than the rest.
Master re-directs to itself only when all the secondary cluster members are 1% higher than the master.
For example, if there is one master and two secondary cluster members:
All nodes start with 0%.
The master re-directs tunnels to the first secondary (with lower inside IP address) until it reaches 1%.
Then it re-direct tunnels to the second secondary (with higher inside IP address) until it, too, reaches 1%.
The master re-directs tunnels to itself only when the two secondary's both have reached 1% load.
The whole cycle repeats when all 3 devices reach 1% load..
12-23-2008 01:57 PM
Thanks for posting your findings. I had the same question, too and was not able to find the answers. May I ask you where you got this information from? Thanks.
12-23-2008 02:01 PM
Hello there...Our Cisco reseller SE got it from the ASA BU.
Nabil
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide