Cisco Support Community
Community Member

SSL VPN through CSS and ASA VPN Load Balancing Logic ?

Hi all,

We got two ASA5540s. ASA#1 has 5000 IPSEC and 500 SSL license. ASA#2 has only 5000 IPSEC license.

We enabled VPN load balancing on both boxes. They see each other in terms of VPN load balancing configuration.

The problem is, ASA#1 is master in cluster. It does not have any VPN sessions on it, when we try to initiate the first IPSEC VPN connection into the cluster IP, ASA#1 automatically redirects us to ASA#2.

Any one have any explanation to VPN load balancing algorithm of Cisco ASA ?

One more question, is it ok if we load balance SSL VPN (Anyconnect clients) through a Cisco CSS, customer does not prefer to purchase SSL certificates for all IP addresses in the cluster ?

Thanks in advance.

Community Member

Re: SSL VPN through CSS and ASA VPN Load Balancing Logic ?

Hi all,

I have found my answer through a search. Here is the logic :

Load is calculated by a % of user load.  There is no preference to stick to box A or box B, this is the only factor taken in to consideration. If you would like to have the user load % increase faster on a device, you will want to tune down the max # of users it can support. It takes 50 users to = 1% load if you are configured to support the full 5K users.

CreatePlease to create content