Document ID: 68328
Introduction Prerequisites Requirements Components Used Network Diagram Conventions Restrictions Configuration IP Address Assignment Cluster Configuration Monitoring Verify Troubleshoot Troubleshooting Commands NetPro Discussion Forums − Featured Conversations Related Information
Loadbalancing is the ability to have Cisco VPN Clients shared across multiple Adaptive Security Appliance (ASA) units without user intervention. Load−balancing ensures that the public IP address is highly available to users. For example, if the Cisco ASA that services the public IP address fails, another ASA in the cluster assumes the public IP address.
Ensure that you meetthese requirements before you attempt this configuration: • You have assigned IP addresses on your ASAs and configured the default gateway. • IPsec is configured on the ASAs for the VPN Client users. • VPN users are able to connect to all ASAs with the use of their individually assigned public IP address.
The information in this document is based on these software andhardware versions: • VPN Client Software Releases 4.6 and later • Cisco ASA Software Releases 7.0.1 and later Note: Extends load balancing support to ASA 5510 and ASA models later than 5520 that have a Security Plus license with the 8.0(2) version.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with acleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
This document uses this network setup:
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
• VPN virtual cluster IP address, User Datagram Protocol (UDP) port, and shared secret mustbe identical on every device in the virtual cluster. • All devices in the virtual cluster must be on the same outside and inside IP subnets.
IP Address Assignment
Ensure that the IP addresses are configured on the outside and inside interfaces and you are able to get to the Internet from your ASA. Note: Ensure that ISAKMP is enabled on both the inside and outside interface.Select Configuration > Features > VPN > IKE > Global Parameters in order to verify this.
This procedure shows how to use the Cisco Adaptive Security Device Manager (ASDM) to configure load balancing. Note: Many of the parameters in this example have default values. 1. Select Configuration > Features > VPN > Load Balancing, and check Participate in Load Balancing Clusterto enable VPN load balancing.
2. Complete these steps to configure the parameters for all ASAs participating in the cluster in the VPN Cluster Configuration group box: a. Type the IP address of the cluster in the Cluster IP Address text box. b. Click Enable IPSec Encryption. c. Type the encryption key in the IPSec Shared Secret text box and type it again in the Verify Secret text box. 3.Configure the options in the VPN Server Configuration group box: a. Select an interface that accepts the incoming VPN connections in the Public list. b. Select an interface that is the private interface in the Private list. c. (Optional) Change the priority that the ASA has in the cluster in the Priority text box. d. Type an IP address for the Network Address Translation (NAT) Assigned IP Addressif this device is behind a firewall that uses NAT. 4. Repeat the steps on all the participating ASAs in the group. The example in this section uses these CLI commands to configure load balancing:
VPN−ASA2(config)#vpn load−balancing VPN−ASA2(config−load−balancing)#priority 10 VPN−ASA2(config−load−balancing)#cluster key cisco123 VPN−ASA2(config−load−balancing)#cluster ip address 172.16.172.54...