68-27
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter68 Configuring IKE, Load Balancing, and NAC
Configuring Load Balancing
the management IP address) and MAC addresses of the failed unit and begins passing traffic. The unit
that is now in standby state takes over the standby IP addresses of the active unit. If an active unit fails,
the standby takes over without any interruption to the client VPN tunnel.
Load Balancing Prerequisites
Load balancing is disabled by default. You must explicitly enable load balancing.
You must have first configured the public and private interfaces and also have previously configured the
the interface to which the virtual cluster IP address refers.
All devices that participate in a cluster must share the same cluster-specific values: IP address,
encryption settings, encryption key, and port. All of the outside and inside network interfaces on the
load-balancing devices in a cluster must be on the same IP network.
Fields
VPN Load Balancing—Configures virtual cluster device parameters.
Participate in Load Balancing Cluster—Specifies that this device is a participant in the
load-balancing cluster.
VPN Cluster Configuration—Configures device parameters that must be the same for the
entire virtual cluster. All servers in the cluster must have an identical cluster configuration.
Cluster IP Address—Specifies the single IP address that represents the entire virtual cluster.
Choose an IP address that is within the public subnet address range shared by all the ASAs in
the virtual cluster.
UDP Port—Specifies the UDP port for the virtual cluster in which this device is participating.
The default value is 9023. If another application is using this port, enter the UDP destination
port number you want to use for load balancing.
Enable IPsec Encryption—Enables or disables IPsec encryption. If you check this box, you
must also specify and verify a shared secret.The ASAs in the virtual cluster communicate via
LAN-to-LAN tunnels using IPsec. To ensure that all load-balancing information communicated
between the devices is encrypted, check this box.
Note When using encryption, you must have previously configured the load-balancing inside
interface. If that interface is not enabled on the load-balancing inside interface, you get an error
message when you try to configure cluster encryption.
If the load-balancing inside interface was enabled when you configured cluster encryption, but
was disabled before you configured the participation of the device in the virtual cluster, you get
an error message when you check the Participate in Load Balancing Cluster check box, and
encryption is not enabled for the cluster.
IPsec Shared Secret—Specifies the shared secret to between IPsec peers when you have
enabled IPsec encryption. The value you enter in the box appears as consecutive asterisk
characters.
Verify Secret—Confirms the shared secret value entered in the IPsec Shared Secret box.
VPN Server Configuration—Configures parameters for this specific device.
Interfaces—Configures the public and private interfaces and their relevant parameters.
Public—Specifies the name or IP address of the public interface for this device.