Cisco ASA 5505 Configuration Manual page 1300

Configuring Load Balancing
•
•
•
•
Eligible Clients
Load balancing is effective only on remote sessions initiated with the following clients:
•
•
•
•
•
•
•
Load balancing works with IPsec clients and SSL VPN client and clientless sessions. All other VPN
connection types (L2TP, PPTP, L2TP/IPsec), including LAN-to-LAN, can connect to an adaptive
security appliance on which load balancing is enabled, but they cannot participate in load balancing.
Enabling Load Balancing
This pane lets you enable load balancing on the adaptive security appliance. Enabling load balancing
involves:
•
•
Creating Virtual Clusters
To implement load balancing, you group together logically two or more devices on the same private
LAN-to-LAN network into a virtual cluster.
All devices in the virtual cluster carry session loads. One device in the virtual cluster, the virtual cluster
master, directs incoming calls to the other devices, called backup devices. The virtual cluster master
monitors all devices in the cluster, keeps track of how busy each is, and distributes the session load
accordingly. The role of virtual cluster master is not tied to a physical device; it can shift among devices.
For example, if the current virtual cluster master fails, one of the backup devices in the cluster takes over
that role and immediately becomes the new virtual cluster master.
The virtual cluster appears to outside clients as a single virtual cluster IP address. This IP address is not
tied to a specific physical device. It belongs to the current virtual cluster master; hence, it is virtual. A
VPN client attempting to establish a connection connects first to this virtual cluster IP address. The
Cisco ASA 5500 Series Configuration Guide using ASDM
63-20
Creating Virtual Clusters
Mixed Cluster Scenarios
Comparing Load Balancing to Failover
Load Balancing Prerequisites
Cisco AnyConnect VPN Client (Release 2.0 and later)
Cisco VPN Client (Release 3.0 and later)
Cisco ASA 5505 Security Appliance (when acting as an Easy VPN client)
Cisco VPN 3002 Hardware Client (Release 3.5 or later)
Cisco PIX 501/506E when acting as an Easy VPN client
IOS EZVPN Client devices supporting IKE-redirect (IOS 831/871)
Clientless SSL VPN (not a client)
Configuring the load-balancing cluster by establishing a common virtual cluster IP address, UDP
port (if necessary), and IPsec shared secret for the cluster. These values are identical for every device
in the cluster.
Configuring the participating device by enabling load balancing on the device and defining
device-specific properties. These values vary from device to device.
Chapter 63 Configuring IKE, Load Balancing, and NAC
OL-20339-01