VPN Clustering also known as Load balancing enables multiple ASAs to shared their load for remote VPN sessions. Load balancing tracks session to the least loaded ASA thus distributing the load. This not only makes efficient use of the system resources but also provides HA. This also helps to deploy remote access VPN cost effectively. Different ASA flavors and VPN 3060 Concentrator can co-exist in a single cluster.
VPN Clustering can only be used for remote access VPN. This cannot be used for site to site VPNs.
Remote connection to the VPN Cluster can only be established from remote Cisco VPN s/w or hardware VPN client or SSL VPN .
For the cluster to work all ASA’s must be configured with same services.
Implementing VPN Clustering requires a virtual cluster by logically grouping two or more ASA’s or VPN concentrators on the same subnet. To outside client, virtual cluster looks like a single device accessible by a single virtual ip address. A VPN client attempting a VPN session connects first to this virtual address but it quickly and transparently redirects it to the least loaded device on the cluster.
At a given time one device on the cluster holds the role of the virtual Master cluster and therefore owns the virtual ip address. The virtual cluster master role is not tied to the particular device. It can shift among devices. Say if virtual master cluster fails then one of the backup devices on the cluster will take up as the master role and becomes Master Virtual cluster. The new failover cluster master is not stateful hence all the existing vpn session will drop. A new vpn session needs to be re-established. The virtual master cluster monitors all devices on the cluster, keep tracks of how busy each is and distribute the session load accordingly. Once the client connects to virtual master ip address it will reply with global ip address of the least busy device on the cluster. In the second transaction which is transparent to the device the client directly connect to that device. In this virtual master, cluster divides traffic evenly and efficiently across the devices.
If any device in the cluster fails, The terminated session can immediately re-connect to the virtual cluster ip address. The virtual cluster master then re-connect this session to the active device in the cluster. Even if several devices in the cluster fails, a user can continue to connect to the cluster as long one device in the cluster is available.
Before configuring make sure all ASA’s are configured with public and private ip addresses and all ASA must share same virtual cluster ip address.
ASDM :
Config -> Features -> VPN -> Load Balancing ->
Enable check box for Load balancing
Enter ip address of cluster this should be public
Enable ipsec encryption for encrypting the data
The devices in the cluster communicate via lan to lan tunnel by using ipsec.
Specify the key for encrypt
Select private and public interfaces
priority range is from 1-10
If this ASA is behind the firewall use NAT. This is ip address configured on router for performing the translation and statically assigned to the public interface of the ASA.
Note :
Clustering supports Single and Multiple contexts, as well as routed and transparent mode. A single configuration is maintained across all units in the cluster using automatic configuration sync.
nice
ReplyDeleteThanks!!
Delete