Eligible Platforms; Eligible Clients; Vpn Load-Balancing Cluster Configurations - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 29
Setting General IPSec VPN Parameters
Eligible Platforms
A load-balancing cluster can include security appliance models ASA 5510 (with a Plus license) and
Model 5520 and above. You can also include VPN 3000 Series Concentrators in the cluster. While mixed
configurations are possible, administration is generally simpler if the cluster is homogeneous.
Eligible Clients
Load balancing is effective only on remote sessions initiated with the following clients:
•
•
•
•
Load balancing works with both IPSec clients and WebVPN sessions. All other clients, including
LAN-to-LAN connections, can connect to a security appliance on which load balancing is enabled, but
they cannot participate in load balancing.
VPN Load-Balancing Cluster Configurations
A load-balancing cluster can consist of all ASA Release 7.0(x) security appliances, all ASA Release
7.1(1) security appliances, all VPN 3000 Concentrators, or a mixture of these, subject to the following
restrictions:
•
•
•
With Release 7.1(1), IPSec and WebVPN sessions count or weigh equally in determining the load that
each device in the cluster carries. This represents a departure from the load balancing calculation for the
ASA Release 7.0(x) software and the VPN 3000 Concentrator, in that these platforms both use a
weighting algorithm that, on some hardware platforms, calculates WebVPN session load differently
from IPSec session load.
The virtual master of the cluster assigns session requests to the members of the cluster. An ASA Release
7.1(1) security appliance regards all sessions, WebVPN or IPSec, as equal and assigns them accordingly.
An ASA Release 7.0(x) security appliance or a VPN 3000 Concentrator performs a weighting
calculation in assigning session loads.
You can configure the number of IPSec and WebVPN sessions to allow, up to the maximum allowed by
Note
your configuration and license. See
how to set these limits.
OL-12172-03
Cisco AnyConnect VPN Client (Release 2.0 and later)
Cisco VPN Client (Release 3.0 and later)
Cisco VPN 3002 Hardware Client (Release 3.5 or later)
Cisco PIX 501/506E when acting as an Easy VPN client.
Load-balancing clusters that consist of all ASA 7.0(x) security appliances, all ASA 7.1(1) security
appliances, or all VPN 3000 Concentrators can run load balancing for a mixture of IPSec and
WebVPN sessions.
Load-balancing clusters that consist of a both of ASA 7.0(x) security appliances and VPN 3000
Concentrators can run load balancing for a mixture of IPSec and WebVPN sessions.
Load-balancing clusters that include ASA 7.1(1) security appliances and either ASA 7.0(x) or VPN
3000 Concentrators or both can support only IPSec sessions. In such a configuration, however, the
ASA 7.1(1) security appliances might not reach their full IPSec capacity.
with No WebVPN Connections" on page
8, illustrates this situation.
Configuring VPN Session Limits, page 29-12
Cisco Security Appliance Command Line Configuration Guide
Understanding Load Balancing
"Scenario 1: Mixed Cluster
for a description of
29-7
Advertisement
Table of Contents
Troubleshooting
