7-10
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter7 Using the High Availability and Scalability Wizard
Configuring VPN Cluster Load Balancing with the High Availability and Scalability Wizard
Step4 Click Finish.
The VPN cluster load balancing configuration is sent to the ASA.
VPN Cluster Load Balancing Configuration
If you have a remote-client configuration in which you are using two or more ASAs connected to the
same network to handle remote sessions, you can configure these devices to share their session load. This
feature is called load balancing, which directs session traffic to the least loaded device, thereby
distributing the load among all devices. Load balancing makes efficient use of system resources and
provides increased performance and system availability.
Use the VPN Cluster Load Balancing Configuration screen to set required parameters for a device to
participate in a load balancing cluster.
Enabling load balancing involves the following:
Configuring the load-balancing cluster by establishing a common virtual cluster IP address, UDP
port (if necessary), and IPsec shared secret for the cluster. These values are identical for each device
in the cluster.
Configuring the participating device by enabling load balancing on the device and defining
device-specific properties. These values vary from device to device.
Note Load balancing is effective only on remote sessions initiated with the Cisco VPN client (Version 3.0 and
later), the Cisco VPN 3002 hardware client (Version 3.5 and later), or the ASA 5505 configured as an
Easy VPN client. All other clients, including LAN-to-LAN connections, can connect to a ASA on which
load balancing is enabled, but these clients cannot participate in load balancing.
To implement load balancing, you logically group together two or more devices on the same private
LAN-to-LAN network into a virtual cluster by performing the following steps:
Step1 Choose the single IP address that represents the entire virtual cluster. Specify an IP address that is within
the public subnet address range shared by all the ASAs in the virtual cluster.
Step2 Specify the UDP port for the virtual cluster in which this device is participating. The default value is
9023. If another application is using this port, enter the UDP destination port number that you want to
use for load balancing.
Step3 To enable IPsec encryption and ensure that all load-balancing information communicated between the
devices is encrypted, check the Enable IPsec Encryption check box. You must also specify and verify
a shared secret. The ASAs in the virtual cluster communicate via LAN-to-LAN tunnels using IPsec. To
disable IPsec encryption, uncheck the Enable IPsec Encryption check box.