Cisco ASA Series Cli Configuration Manual page 1628

Configuring Load Balancing
Unique IP Address Pools
Q: To implement VPN load balancing, must the IP address pools for AnyConnect clients or IPsec clients
on different ASAs be unique?
A: Yes. IP address pools must be unique for each device.
Using Load Balancing and Failover on the Same Device
Q: Can a single device use both load balancing and failover?
A: Yes. In this configuration, the client connects to the IP address of the cluster and is redirected to the
least-loaded ASA in the cluster. If that device fails, the standby unit takes over immediately, and there
is no impact to the VPN tunnel.
Load Balancing on Multiple Interfaces
Q: If we enable SSL VPN on multiple interfaces, is it possible to implement load balancing for both of
the interfaces?
A: You can define only one interface to participate in the cluster as the public interface. The idea is to
balance the CPU loads. Multiple interfaces converge on the same CPU, so the concept of load balancing
on multiple interfaces has no meaning.
Maximum Simultaneous Sessions for Load Balancing Clusters
Q: Consider a deployment of two ASA 5520s, each with a 100-user SSL VPN license. In a
load-balancing cluster, does the maximum total number of users allow 200 simultaneous sessions, or
only 100? If we add a third device later with a 100-user license, can we now support 300 simultaneous
sessions?
A: With VPN load balancing, all devices are active, so the maximum number of sessions that your cluster
can support is the total of the number of sessions for each of the devices in the cluster, in this case 300.
Viewing Load Balancing
The load-balancing cluster master receives a periodic message from each ASA in the cluster with the
number of active AnyConnect and clientless sessions, as well as the maximum allowed sessions based
on the configured or license limits. If an ASA in the cluster shows 100 percent full capacity, the cluster
master cannot redirect more connections to it. Although the ASA may show as full, some users may be
in inactive/wait-to-resume state, wasting the licenses. As a workaround, each ASA provides the total
number of sessions minus the sessions in inactive state, instead of the total number of sessions. (Refer
to the -sessiondb summary command in the command reference. In other words, the inactive sessions
are not reported to the cluster master. Even if the ASA is full (with some inactive sessions), the cluster
master still redirects connections to it if necessary. When the ASA receives the new connection, the
session that has been inactive the longest is logged off, allowing new connections to take its license.
The following example shows 100 SSL sessions (active only) and a 2 percent SSL load. These numbers
do not include the inactive sessions. In other words, inactive sessions do not count towards the load for
load balancing.
hostname#
Cisco ASA Series CLI Configuration Guide
1-16
load-balancing
Status : enabled
Role : Master
Chapter 1 Setting General VPN Parameters