1-10
Cisco ASA Series CLI Configuration Guide
Chapter 1 Setting General VPN Parameters
Understanding Load Balancing
VPN Load-Balancing Algorithm
The master device maintains a sorted list of backup cluster members in ascending IP address order. The
load of each backup cluster member is computed as an integer percentage (the number of active
sessions). AnyConnect inactive sessions do not count towards the SSL VPN load for load balancing. The
master device redirects the IPsec and SSL VPN tunnel to the device with the lowest load until it is 1
percent higher than the rest. When all backup cluster members are 1% higher than the master, the master
device redirects to itself.
For example, if you have one master and two backup cluster members, the following cycle applies:
Note All nodes start with 0%, and all percentages are rounded half-up.
1. The master device take s the connection if all members have a load at 1% higher than the master.
2. If the master does not take the connection, the session is taken by whichever backup device has the
least load percentage.
3. If all members have the same percentage load, the backup device with the least number of sessions
gets the session.
4. If all members have the same percentage load and the same number of sessions, the device with the
least IP addresses gets the session.
VPN Load-Balancing Cluster Configurations
A load-balancing cluster can consist of ASAs of the same release, of mixed releases, as well as VPN
3000 concentrators, or a mixture of these, subject to the following restrictions:
• Load-balancing clusters that consist of same release ASAs or all VPN 3000 concentrators can run
load balancing for a mixture of IPsec, AnyConnect, and clientless SSL VPN sessions.
• Load-balancing clusters that consist of both same release ASAs and VPN 3000 concentrators can
run load balancing for a mixture of IPsec, AnyConnect, and clientless SSL VPN client and clientless
sessions.
• Load-balancing clusters that include mixed release ASAs or same release ASAs and VPN 3000
concentrators or both can support only IPsec sessions. In such a configuration, however, the ASAs
might not reach their full IPsec capacity. Scenario 1: Mixed Cluster with No SSL VPN Connections,
illustrates this situation.
Since Release 7.1(1), IPsec and SSL VPN sessions count or weigh equally in determining the load that
each device in the cluster carries. This is a change from the load-balancing calculation for the ASA
Release 7.0(x) software and the VPN 3000 concentrator. Both platforms use a weighting algorithm that
on some hardware platforms calculates the SSL VPN session load differently from the IPsec session
load.
The virtual master of the cluster assigns session requests to the members of the cluster. The ASA regards
all sessions, SSL VPN or IPsec, as equal and assigns them accordingly. You can configure the number
of IPsec and SSL VPN sessions to allow up to the maximum allowed by your configuration and license.
See Configuring VPN Session Limits for a description of how to set these limits.
We have tested up to ten nodes in a load-balancing cluster. Larger clusters might work, but we do not
officially support such topologies.
To Next Page
Loading...
Need help?
General