Cisco ASA 5505 Configuration Manual page 1301

Chapter 63 Configuring IKE, Load Balancing, and NAC
virtual cluster master then sends back to the client the public IP address of the least-loaded available host
in the cluster. In a second transaction (transparent to the user) the client connects directly to that host.
In this way, the virtual cluster master directs traffic evenly and efficiently across resources.
Note All clients other than the Cisco VPN client, the Cisco VPN 3002 Hardware Client, or the ASA 5505
operating as an Easy VPN Client connect directly to the adaptive security appliance as usual; they do not
use the virtual cluster IP address.
If a machine in the cluster fails, the terminated sessions can immediately reconnect to the virtual cluster
IP address. The virtual cluster master then directs these connections to another active device in the
cluster. Should the virtual cluster master itself fail, a backup device in the cluster immediately and
automatically takes over as the new virtual session master. Even if several devices in the cluster fail,
users can continue to connect to the cluster as long as any one device in the cluster is up and available
A load-balancing cluster can consist of adaptive security appliances of the same release, of mixed
releases, as well as VPN 3000 concentrators, or a mixture of these, subject to the following restrictions:
•
•
Since Release 7.1(1), IPsec and SSL VPN sessions count or weigh equally in determining the load that
each device in the cluster carries. This represents a departure from the load balancing calculation for the
ASA Release 7.0(x) software and the VPN 3000 concentrator, in that these platforms both use a
weighting algorithm that, on some hardware platforms, calculates SSL VPN session load differently
from IPsec session load.
The virtual master of the cluster assigns session requests to the members of the cluster. The adaptive
security appliance regards all sessions, SSL VPN or IPsec, as equal and assigns them accordingly. You
can configure the number of IPsec and SSL VPN sessions to allow, up to the maximum allowed by your
configuration and license.
We have tested up to ten nodes in a load-balancing cluster. Larger clusters might work, but we do not
officially support such topologies.
Mixed Cluster Scenarios
If you have a mixed configuration—that is, if your load-balancing cluster includes devices running a
mixture of ASA software releases or at least one adaptive security appliance running ASA Release 7.1(1)
or later and a VPN 3000 concentrator—the difference in weighting algorithms becomes an issue if the
initial cluster master fails and another device takes over as master.
The following scenarios illustrate the use of VPN load balancing in clusters consisting of a mixture of
adaptive security appliances running ASA Release 7.1(1) and ASA Release 7.0(x) software, as well as
VPN 3000 Series Concentrators.
OL-20339-01
Load-balancing clusters that consist of both same release adaptive security appliances and VPN
3000 concentrators can run load balancing for a mixture of IPsec, AnyConnect, and clientless SSL
VPN client and clientless sessions.
Load-balancing clusters that include mixed release adaptive security appliances or same release
adaptive security appliances and VPN 3000 concentrators or both can support only IPsec sessions.
In such a configuration, however, the adaptive security appliances might not reach their full IPsec
capacity. "Scenario 1: Mixed Cluster with No SSL VPN Connections" on page
situation.
Cisco ASA 5500 Series Configuration Guide using ASDM
Configuring Load Balancing
22, illustrates this
63-21