Cisco ASA 5505 Configuration Manual page 1303

Chapter 63 Configuring IKE, Load Balancing, and NAC
A failover configuration requires two identical adaptive security appliances connected to each other
through a dedicated failover link and, optionally, a stateful failover link. The health of the active
interfaces and units is monitored to determine when specific failover conditions are met. If those
conditions occur, failover occurs. Failover supports both VPN and firewall configurations.
The adaptive security appliance supports two failover configurations, Active/Active failover and
Active/Standby failover. VPN connections run only in Active/Standby, single routed mode.
Active/Active failover requires multi-context mode, so does not support VPN connections.
With Active/Active failover, both units can pass network traffic. This is not true load balancing, although
it might appear to have the same effect. When failover occurs, the remaining active unit takes over
passing the combined traffic, based on he configured parameters. Therefore, when configuring
Active/Active failover, you must make sure that the combined traffic for both units is within the capacity
of each unit.
With Active/Standby failover, only one unit passes traffic, while the other unit waits in a standby state
and does not pass traffic. Active/Standby failover lets you use a second adaptive security applianceto
take over the functions of a failed unit. When the active unit fails, it changes to the standby state, while
the standby unit changes to the active state. The unit that becomes active assumes the IP addresses (or,
for transparent firewall, the management IP address) and MAC addresses of the failed unit and begins
passing traffic. The unit that is now in standby state takes over the standby IP addresses of the active
unit. If an active unit fails, the standby takes over without any interruption to the client VPN tunnel.
Load Balancing Prerequisites
Load balancing is disabled by default. You must explicitly enable load balancing.
You must have first configured the public and private interfaces and also have previously configured the
the interface to which the virtual cluster IP address refers.
All devices that participate in a cluster must share the same cluster-specific values: IP address,
encryption settings, encryption key, and port. All of the outside and inside network interfaces on the
load-balancing devices in a cluster must be on the same IP network.
Fields
•
OL-20339-01
VPN Load Balancing—Configures virtual cluster device parameters.
Participate in Load Balancing Cluster—Specifies that this device is a participant in the
–
load-balancing cluster.
VPN Cluster Configuration—Configures device parameters that must be the same for the
–
entire virtual cluster. All servers in the cluster must have an identical cluster configuration.
Cluster IP Address—Specifies the single IP address that represents the entire virtual cluster.
–
Choose an IP address that is within the public subnet address range shared by all the adaptive
security appliances in the virtual cluster.
– UDP Port—Specifies the UDP port for the virtual cluster in which this device is participating.
The default value is 9023. If another application is using this port, enter the UDP destination
port number you want to use for load balancing.
Enable IPsec Encryption—Enables or disables IPsec encryption. If you check this box, you
–
must also specify and verify a shared secret.The adaptive security appliances in the virtual
cluster communicate via LAN-to-LAN tunnels using IPsec. To ensure that all load-balancing
information communicated between the devices is encrypted, check this box.
Cisco ASA 5500 Series Configuration Guide using ASDM
Configuring Load Balancing
63-23