Cisco ASA 5505 Configuration Manual page 1304

Configuring Load Balancing
Note
VPN Server Configuration—Configures parameters for this specific device.
•
Note
Cisco ASA 5500 Series Configuration Guide using ASDM
63-24
When using encryption, you must have previously configured the load-balancing inside
interface. If that interface is not enabled on the load-balancing inside interface, you get an error
message when you try to configure cluster encryption.
If the load-balancing inside interface was enabled when you configured cluster encryption, but
was disabled before you configured the participation of the device in the virtual cluster, you get
an error message when you check the Participate in Load Balancing Cluster check box, and
encryption is not enabled for the cluster.
– IPsec Shared Secret—Specifies the shared secret to between IPsec peers when you have
enabled IPsec encryption. The value you enter in the box appears as consecutive asterisk
characters.
Verify Secret—Confirms the shared secret value entered in the IPsec Shared Secret box.
–
Interfaces—Configures the public and private interfaces and their relevant parameters.
–
– Public—Specifies the name or IP address of the public interface for this device.
– Private—Specifies the name or IP address of the private interface for this device.
– Priority—Specifies the priority assigned to this device within the cluster. The range is from 1
to 10. The priority indicates the likelihood of this device becoming the virtual cluster master,
either at start-up or when an existing master fails. The higher you set the priority (for example,
10), the more likely this device becomes the virtual cluster master.
If the devices in the virtual cluster are powered up at different times, the first device to be
powered up assumes the role of virtual cluster master. Because every virtual cluster requires a
master, each device in the virtual cluster checks when it is powered-up to ensure that the cluster
has a virtual master. If none exists, that device takes on the role. Devices powered up and added
to the cluster later become backup devices. If all the devices in the virtual cluster are powered
up simultaneously, the device with the highest priority setting becomes the virtual cluster master.
If two or more devices in the virtual cluster are powered up simultaneously, and both have the
highest priority setting, the one with the lowest IP address becomes the virtual cluster master.
NAT Assigned IP Address—Specifies the IP address that this device's IP address is translated
–
to by NAT. If NAT is not being used (or if the device is not behind a firewall using NAT), leave
the field blank.
– Send FQDN to client—Check this check box to cause the VPN cluster master to send a fully
qualified domain name using the host and domain name of the cluster device instead of the
outside IP address when redirecting VPN client connections to that cluster device.
By default, the ASA sends only IP addresses in load-balancing redirection to a client. If
certificates are in use that are based on DNS names, the certificates will be invalid when
redirected to a backup device.
As a VPN cluster master, this adaptive security appliance can send a fully qualified domain
name (FQDN), using reverse DNS lookup, of a cluster device (another adaptive security
appliance in the cluster), instead of its outside IP address, when redirecting VPN client
connections to that cluster device.
All of the outside and inside network interfaces on the load-balancing devices in a cluster must
be on the same IP network.
Chapter 63 Configuring IKE, Load Balancing, and NAC
OL-20339-01