Cisco ASA VPN Load balancing Implementation

OlayinkaRookie · ‎03-27-2024

Hello all:

We're looking to implement VPN load balancing across 2 Cisco ASA 5555X in our environment. These 2 ASAs are currently acting as individual gateways and we have an alias configured in the AnyConnect profile for them.

<ServerList>
<HostEntry>
<HostName>VPN</HostName>
<HostAddress>vpn.internet.com</HostAddress>
</HostEntry>
<HostEntry>
<HostName>VPN2</HostName>
<HostAddress>vpn2.internet.com</HostAddress>
</HostEntry>
</ServerList>

Can I add another host entry for the Cluster IP and have the option available to users in Anyconnect along with the existing option for the 2 individual gateways?

MHM Cisco World · ‎03-27-2024

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-asa/221691-configure-vpn-client-load-balance-with-d.html

Check this

MHM

OlayinkaRookie · ‎03-27-2024

Thank you for this. Fairly recent too. Nice to see official Cisco documentation for implementations like this.

Rob Ingram · ‎03-27-2024

@OlayinkaRookie if using VPN Load Balancer you would only specify the Load Balancer FQDN/VIP not the individual ASA FQDN/IP address.

You could amend the client XML profile as you suggested, but if the users connects directly to the ASA it's not going to be load balanced to the least active ASA, which defeats the purpose of the load balancer.

OlayinkaRookie · ‎03-27-2024

Thanks, and I agree Rob. We want to run a pilot and would like users to continue to connect to individual gateways until we know that the load balancing works as expected, then we take away the individual gateways from the host list.

Rob Ingram · ‎03-27-2024

@OlayinkaRookie ok understood. Yes, you can still connect directly to the ASA with the load balancer configured for the pilot, amend the XML profile to add the LB FQDN as another entry.