Cisco ASA Series Cli Configuration Manual page 1621

Chapter 1 Setting General VPN Parameters
Implementing Load Balancing
Enabling load balancing involves:
•
•
Note
VPN load balancing requires an active 3DES/AES license. The ASA checks for the existence of this
crypto license before enabling load balancing. If it does not detect an active 3DES or AES license, the
ASA prevents the enabling of load balancing and also prevents internal configuration of 3DES by the
load balancing system unless the license permits this usage.
Prerequisites
Load balancing is disabled by default. You must explicitly enable load balancing.
You must have first configured the public (outside) and private (inside) interfaces and also have
previously configured the interface to which the virtual cluster IP address refers. You can use the
interface and nameif commands to configure different names for these interfaces. Subsequent
references in this section use the names outside and inside.
All devices that participate in a cluster must share the same cluster-specific values: IP address,
encryption settings, encryption key, and port.
Eligible Platforms
A load-balancing cluster can include ASA models ASA 5510 (with a Plus license) and Model 5520 and
above. You can also include Cisco VPN 3000 series concentrators in the cluster. While mixed
configurations are possible, administration is generally simpler if the cluster is homogeneous.
Eligible Clients
Load balancing is effective only on remote sessions initiated with the following clients:
•
•
•
•
•
•
•
Load balancing works with IPsec clients and SSL VPN client and clientless sessions. All other VPN
connection types (L2TP, PPTP, L2TP/IPsec), including LAN-to-LAN, can connect to an ASA on which
load balancing is enabled, but they cannot participate in load balancing.
Configuring the load-balancing cluster by establishing a common virtual cluster IP address, UDP
port (if necessary), and IPsec shared secret for the cluster. You configure these values identically for
every device in the cluster.
Configuring the participating device by enabling load balancing on the device and defining
device-specific properties. These values vary from device to device.
Cisco AnyConnect VPN client (Release 2.0 and later)
Cisco VPN Client (Release 3.0 and later)
Cisco ASA 5505 ASA (when acting as an Easy VPN client)
Cisco VPN 3002 hardware client (Release 3.5 or later)
Cisco PIX 501/506E when acting as an Easy VPN client
Cisco IOS EZVPN client devices supporting IKE-redirect (IOS 831/871)
Clientless SSL VPN (not a client)
Understanding Load Balancing
Cisco ASA Series CLI Configuration Guide
1-9