Cisco ASA 5505 Configuration Manual page 1216

Configuring VPN Cluster Load Balancing with the High Availability and Scalability Wizard
Configuring the participating device by enabling load balancing on the device and defining
•
device-specific properties. These values vary from device to device.
Load balancing is effective only on remote sessions initiated with the Cisco VPN client (Version 3.0 and
Note
later), the Cisco VPN 3002 hardware client (Version 3.5 and later), or the ASA 5505 configured as an
Easy VPN client. All other clients, including LAN-to-LAN connections, can connect to a adaptive
security appliance on which load balancing is enabled, but these clients cannot participate in load
balancing.
To implement load balancing, you logically group together two or more devices on the same private
LAN-to-LAN network into a virtual cluster by performing the following steps:
Choose the single IP address that represents the entire virtual cluster. Specify an IP address that is within
Step 1
the public subnet address range shared by all the adaptive security appliances in the virtual cluster.
Specify the UDP port for the virtual cluster in which this device is participating. The default value is
Step 2
9023. If another application is using this port, enter the UDP destination port number that you want to
use for load balancing.
To enable IPSec encryption and ensure that all load-balancing information communicated between the
Step 3
devices is encrypted, check the Enable IPSec Encryption check box. You must also specify and verify
a shared secret. The adaptive security appliances in the virtual cluster communicate via LAN-to-LAN
tunnels using IPSec. To disable IPSec encryption, uncheck the Enable IPSec Encryption check box.
Note
Specify the shared secret to between IPSec peers when you enable IPSec encryption. The value that you
Step 4
enter appears as consecutive asterisk characters.
Specify the priority assigned to this device within the cluster. The range is from 1 to 10. The priority
Step 5
indicates the likelihood of this device becoming the virtual cluster master, either at startup or when an
existing master fails. The higher the priority set (for example, 10), the more likely that this device will
become the virtual cluster master.
Note
Specify the name or IP address of the public interface for this device.
Step 6
Cisco ASA 5500 Series Configuration Guide using ASDM
58-10
When using encryption, you must have previously configured the load balancing inside
interface. If that interface is not enabled on the load balancing inside interface, an error message
appears when you try to configure cluster encryption.
If the load balancing inside interface is enabled when you configured cluster encryption, but is
disabled before you configure the participation of the device in the virtual cluster, an error
message appears when you check the Participate in Load Balancing Cluster check box, and
encryption is not enabled for the cluster.
If the devices in the virtual cluster are powered up at different times, the first device to be
powered up assumes the role of virtual cluster master. Because every virtual cluster requires a
master, each device in the virtual cluster checks when it is powered up to ensure that the cluster
has a virtual master. If none exists, that device assumes the role. Devices powered up and added
to the cluster later become secondary devices. If all the devices in the virtual cluster are powered
up simultaneously, the device with the highest priority setting becomes the virtual cluster master.
If two or more devices in the virtual cluster are powered up simultaneously, and both have the
highest priority setting, the one with the lowest IP address becomes the virtual cluster master.
Chapter 58 Using the High Availability and Scalability Wizard
OL-20339-01