Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA VPN Cluster Algorithm

Hello all - Can someone please explain to me how the ASA VPN cluster decision happens? We have two ASAs in cluster, and it seems the master is handing all the connections to the backup and not accepting any itself.

I have searched all the documentations and bunch of books with no luck, I am at lost.

Thank you,


New Member

Re: ASA VPN Cluster Algorithm

Hello all - I got the answer today, I really don't understand why Cisco doesn't post this valuable information anywhere.

Load balancing algorithm

The master maintains a sorted list of secondary cluster members in ascending order of inside IP address.

Load is computed as an integer percentage (# of active/max sessions) supplied by each secondary cluster member.

Master re-directs IPSec/SSL VPN tunnel to a device with the lowest load first until it is 1% higher than the rest.

Master re-directs to itself only when all the secondary cluster members are 1% higher than the master.

For example, if there is one master and two secondary cluster members:

All nodes start with 0%.

The master re-directs tunnels to the first secondary (with lower inside IP address) until it reaches 1%.

Then it re-direct tunnels to the second secondary (with higher inside IP address) until it, too, reaches 1%.

The master re-directs tunnels to itself only when the two secondary's both have reached 1% load.

The whole cycle repeats when all 3 devices reach 1% load..

New Member

Re: ASA VPN Cluster Algorithm

Thanks for posting your findings. I had the same question, too and was not able to find the answers. May I ask you where you got this information from? Thanks.

New Member

Re: ASA VPN Cluster Algorithm

Hello there...Our Cisco reseller SE got it from the ASA BU.


CreatePlease to create content