Solved: FTD VPN Load Balancing

Grant Butler · ‎01-15-2018

Quick Question with FTD 6.2 we got Anyconnect ,does anyone know when the Anyconnect features are due? 6.3? does anyone have a link to the roadmap?

At the moment we use VPN Loadbalancing and so we are stuck with the ASA code base till this feature is active

agairola · ‎01-17-2018

My 2cents on OGS.

If someone is looking for the service (VPN in this case) load balancing located at the same location then OGS may not be the best option. The idea behind OGS is to measure latency (round trip time) per headend and then connect to lowest latency headend from client perspective.

So in true sense I wont consider OGS as load balancing unless user base is global and headends are also global.

Another solution that I have seen in the field is based on DNS, we can simply use DNS weighed round robin like AWS's Route53 to balance traffic between multiple headends:

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html#routing-policy-weighted

--

Weighted routing lets you associate multiple resources with a single domain name (example.com) or subdomain name (acme.example.com) and choose how much traffic is routed to each resource. This can be useful for a variety of purposes, including load balancing and testing new versions of software.

To configure weighted routing, you create records that have the same name and type for each of your resources. You assign each record a relative weight that corresponds with how much traffic you want to send to each resource. Amazon Route 53 sends traffic to a resource based on the weight that you assign to the record as a proportion of the total weight for all records in the group:

Formula for how much traffic is routed to a given resource:
weight for a specified record / sum of the weights for all records.

For example, if you want to send a tiny portion of your traffic to one resource and the rest to another resource, you might specify weights of 1 and 255. The resource with a weight of 1 gets 1/256th of the traffic (1/1+255), and the other resource gets 255/256ths (255/1+255). You can gradually change the balance by changing the weights. If you want to stop sending traffic to a resource, you can change the weight for that record to 0.

--

One downside that I can think off is we may loose features like AnyConnect reconnect etc.

View solution in original post

agairola · ‎01-17-2018

RAVPN is support since FTD version 6.2.2:

https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/212424-anyconnect-remote-access-vpn-configurati.html

This feature is pretty new and this platform has its own challenge, I would suggest to open a TAC case and ask them about load balancer feature. If I am not wrong this feature is not available, you are ask Cisco TAC to open an enhancement to add VPN load balancer on FTD.

Marvin Rhoads · ‎01-17-2018

@agairola is correct - no VPN LB is currently available on the FTD platform.

Depending on your use case and the increased scalability of the Firepower appliances you may be able to accommodate the requirement differently using a more powerful appliance or something like Optimal Gateway Selection (OGS).

Cisco generally doesn't publicly share roadmap information.

agairola · ‎01-17-2018

My 2cents on OGS.

If someone is looking for the service (VPN in this case) load balancing located at the same location then OGS may not be the best option. The idea behind OGS is to measure latency (round trip time) per headend and then connect to lowest latency headend from client perspective.

So in true sense I wont consider OGS as load balancing unless user base is global and headends are also global.

Another solution that I have seen in the field is based on DNS, we can simply use DNS weighed round robin like AWS's Route53 to balance traffic between multiple headends:

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html#routing-policy-weighted

--

Weighted routing lets you associate multiple resources with a single domain name (example.com) or subdomain name (acme.example.com) and choose how much traffic is routed to each resource. This can be useful for a variety of purposes, including load balancing and testing new versions of software.

To configure weighted routing, you create records that have the same name and type for each of your resources. You assign each record a relative weight that corresponds with how much traffic you want to send to each resource. Amazon Route 53 sends traffic to a resource based on the weight that you assign to the record as a proportion of the total weight for all records in the group:

Formula for how much traffic is routed to a given resource:
weight for a specified record / sum of the weights for all records.

For example, if you want to send a tiny portion of your traffic to one resource and the rest to another resource, you might specify weights of 1 and 255. The resource with a weight of 1 gets 1/256th of the traffic (1/1+255), and the other resource gets 255/256ths (255/1+255). You can gradually change the balance by changing the weights. If you want to stop sending traffic to a resource, you can change the weight for that record to 0.

--

One downside that I can think off is we may loose features like AnyConnect reconnect etc.

Marvin Rhoads · ‎01-18-2018

@agairola

True and all good points. That's why I qualified my suggestion ("Depending on your use case...").

Regards,

- Marvin

Grant Butler · ‎02-04-2018

Thanks for the responses. It looks like weighted DNS round robin seems the only viable way forward until RAVPN LB is introduced to the FTD image.