68-28
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter68 Configuring IKE, Load Balancing, and NAC
Configuring Load Balancing
Private—Specifies the name or IP address of the private interface for this device.
Priority—Specifies the priority assigned to this device within the cluster. The range is from 1
to 10. The priority indicates the likelihood of this device becoming the virtual cluster master,
either at start-up or when an existing master fails. The higher you set the priority (for example,
10), the more likely this device becomes the virtual cluster master.
Note If the devices in the virtual cluster are powered up at different times, the first device to be
powered up assumes the role of virtual cluster master. Because every virtual cluster requires a
master, each device in the virtual cluster checks when it is powered-up to ensure that the cluster
has a virtual master. If none exists, that device takes on the role. Devices powered up and added
to the cluster later become backup devices. If all the devices in the virtual cluster are powered
up simultaneously, the device with the highest priority setting becomes the virtual cluster master.
If two or more devices in the virtual cluster are powered up simultaneously, and both have the
highest priority setting, the one with the lowest IP address becomes the virtual cluster master.
NAT Assigned IP Address—Specifies the IP address that this device’s IP address is translated
to by NAT. If NAT is not being used (or if the device is not behind a firewall using NAT), leave
the field blank.
Send FQDN to client—Check this check box to cause the VPN cluster master to send a fully
qualified domain name using the host and domain name of the cluster device instead of the
outside IP address when redirecting VPN client connections to that cluster device.
By default, the ASA sends only IP addresses in load-balancing redirection to a client. If
certificates are in use that are based on DNS names, the certificates will be invalid when
redirected to a backup device.
As a VPN cluster master, this ASA can send a fully qualified domain name (FQDN), using
reverse DNS lookup, of a cluster device (another ASA in the cluster), instead of its outside IP
address, when redirecting VPN client connections to that cluster device.
All of the outside and inside network interfaces on the load-balancing devices in a cluster must
be on the same IP network.
To enable Clientless SSL VPN load balancing using FQDNs rather than IP addresses, perform the
following configuration steps:
Step1 Enable the use of FQDNs for Load Balancing by checking the Send FQDN to client... checkbox.
Step2 Add an entry for each of your ASA outside interfaces into your DNS server, if such entries are not
already present. Each ASA outside IP address should have a DNS entry associated with it for lookups.
These DNS entries must also be enabled for Reverse Lookup.
Step3 Enable DNS lookups on your ASA on the dialog box Configuration > Device Management> DNS >
DNS Client for whichever interface has a route to your DNS server.
Step4 Define your DNS server IP address on the ASA. To do this, click Add on this dialog box. This opens the
Add DNS Server Group dialog box. Enter the IP address of the DNS server you want to add; for example,
192.168.1.1 (IP address of your DNS server).
Step5 Click OK and Apply.
Modes
The following table shows the modes in which this feature is available: