Implementing Load Balancing - Cisco FirePOWER ASA 5500 series Configuration Manual

Understanding Load Balancing
tied to a physical device; it can shift among devices. For example, if the current virtual cluster master
fails, one of the secondary devices in the cluster takes over that role and immediately becomes the new
virtual cluster master.
The output of a show command might show the secondary devices in the cluster as backup devices.
Note
The virtual cluster appears to outside clients as a single virtual cluster IP address. This IP address is not
tied to a specific physical device. It belongs to the current virtual cluster master; hence, it is virtual. A
VPN Client attempting to establish a connection connects first to this virtual cluster IP address. The
virtual cluster master then sends back to the client the public IP address of the least-loaded available host
in the cluster. In a second transaction (transparent to the user), the client connects directly to that host.
In this way, the virtual cluster master directs traffic evenly and efficiently across resources.
All clients other than the Cisco VPN Client or the Cisco 3002 Hardware Client should connect directly
Note
to the security appliance as usual; they do not use the virtual cluster IP address.
If a machine in the cluster fails, the terminated sessions can immediately reconnect to the virtual cluster
IP address. The virtual cluster master then directs these connections to another active device in the
cluster. Should the virtual cluster master itself fail, a secondary device in the cluster immediately and
automatically takes over as the new virtual session master. Even if several devices in the cluster fail,
users can continue to connect to the cluster as long as any one device in the cluster is up and available.

Implementing Load Balancing

Enabling load balancing involves:
•
•
VPN load balancing requires an active 3DES/AES license. The security appliance checks for the
Note
existence of this crypto license before enabling load balancing. If it does not detect an active 3DES or
AES license, the security appliance prevents the enabling of load balancing and also prevents internal
configuration of 3DES by the load balancing system unless the license permits this usage.
Prerequisites
Load balancing is disabled by default. You must explicitly enable load balancing.
You must have first configured the public (outside) and private (inside) interfaces and also have
previously configured the the interface to which the virtual cluster IP address refers. You can use the
interface and nameif commands to configure different names for these interfaces. Subsequent
references in this section use the names outside and inside.
All devices that participate in a cluster must share the same cluster-specific values: IP address,
encryption settings, encryption key, and port.
Cisco Security Appliance Command Line Configuration Guide
29-6
Configuring the load-balancing cluster by establishing a common virtual cluster IP address, UDP
port (if necessary), and IPSec shared secret for the cluster. These values are should be configured
indentically for every device in the cluster.
Configuring the participating device by enabling load balancing on the device and defining
device-specific properties. These values vary from device to device.
Chapter 29 Setting General IPSec VPN Parameters
OL-10088-01