Asa Vpn Load Balancing Site To Site

Posted onby

Select Configuration Features VPN Load Balancing, and check Participate in Load Balancing Cluster to enable VPN load balancing. Complete these steps to configure the parameters for all ASAs participating in the cluster in the VPN Cluster Configuration group box: Type the IP address of the cluster in the Cluster IP Address text box. Set up VPN load balancing by entering the vpn load-balancing command in global configuration mode: Example: hostname(config)# vpn load-balancing hostname(config-load-balancing)# This enters vpn-load-balancing configuration mode, in which you can configure the remaining load-balancing attributes.

Similar Messages:

Cisco VPN :: ASA5510 - Site To Site With Dynamic IP In One Site

Jan 27, 2012

i want configure VPN between backoffice which have ASA5510 firewall with static IP and site which have cisco router 1861 with dynamic IP.
how i can configure the site to site between them?

Cisco VPN :: ASA 5510 - ISP Site To Site Failover With Single Remote Peer Address

Apr 16, 2011

I have a ASA 5510 actve/standby and create one site to site VPN with remote peer ip address xx.xx.xx.xx, Our VPN traffic running on 6 mb internet link for video conferancing traffic.Now client give another link 2 mb internet and client told to us our data traffic runnig on 2 mb link but this data traffic running on the same remote peer IP xx.xx.xx.xx.
Secondly request also they need failover over the ISP link.
how we immplement the same on ASA 5510.

Cisco VPN :: Site-to-site Failover On ASA 5520 / 3945 Routers

Jan 23, 2012

I am building a site to site VPN from our headquarters to a customer. I am using an ASA 5520. The customer is using Cisco 3945 routers. The customer has two VPN termination points. The customer requests that we make one of their termination points the primary VPN connection and make the other termination point the backup in the event that the primary VPN fails. How do I configure this on the ASA? Does the below configuration fulfill this goal?

Cisco VPN :: ASA 5520 / Site To Site Failover VPN Connection And Routing?

Apr 8, 2013

We have 3 sites, with a Cisco ASA 5520 at each location.
HQ (Headquarters) internal network:,
DR (Disaster Recovery) internal network:
BO (Branch Office) internal network:
HQ and DR have a 100Mbps permanent MPLS link between each other.Branch Office has a Site 2 Site VPN connection to HQ. If it fails, it establishes a Site 2 Site VPN connection to DR. This works perfectly.Now the routing issue... There is no route to the BO in the routing table at HQ/DR. The default gateway is used to reach the BO and that works for HQ when the VPN is between HQ/BO. If the VPN fails over to DR/BO, HQ can't reach BO anymore.I need to have some kind of conditional route injection from the ASA where the VPN is established. I was considering a tracked static route, but I was wondering if the S2S VPN itself has a functionality to do so. I thought the Reverse Route Injection was it but it's enabled on our crypto map and doesn't seem to work...

Cisco Firewall :: 5510 Site-to-Site VPN Failover

Mar 15, 2011

I configured ASA 5510 using dual ISP( Failover). Now my ASA working fine. Here my problem is My ASA 5510 configured for Site to Site VPN also.How my VPN switch to Secondary ISP automatically when primary ISP fails.

Cisco VPN :: Reverse Route Injection On ASA5510 Site-to-site

Jul 29, 2011

We have two ASA5510's connected to two different ISP's and both able to initiate a site-site IPsec connection to a remote site. Depending on the state of the ISP's either ASA may initiate this VPN.We use Reverse Route Injection into OSPF for VPN clients and it works fine with the route being distributed when a client connects and disappearing when there are no clients.So we thought we'd try it for our site-site VPN's. Unfortunately when we enable Reverse Route Injection the routes are distributed regardless of whether the VPN is up or not, so if one ASA has initiated a VPN it's reverse route is distributed (which is what we want) but the other ASA also distributes a route for it's non-existent VPN. The result is that our gateway routers see two OSPF routes and can't ascertain which route is actually up.
Is there any way to distribute the route using Reverse Route Injection (or any other method) only when a site-site VPN is actually up? For various reasons we can't use BGP or other gateway routing protocols.Our ASA5510 are currently running IOS 8.2(1)

Cisco VPN :: Network-access Between ASA5505 And ASA5510 (site-to-site)

May 9, 2011

we set up a site-to-site-vpn between a 5505 and a 5510 (both asa8.3.1). We configured both sides using the VPN-Wizard in the ASDM. When we try to ping from the network behind the 5505 ( to any host behind the 5510 ( the tunnel gets established but the ping doesn't get trough. After that we tried to connect via RDP to any host behind the 5510 and it worked well (same with ssh, telnet,vnc etc.). Now we want to map a network-share on a 2008-Server behind the 5510 but it's not working. In the ASDM-Log I see some 'denied by inside-access in'-messages for the ports 139 and 445. Isn't it right that the whole traffic in the vpn-tunnel bypasses the acl? Even if we open both ports we can't connect to the network-share?

Cisco VPN :: Multiple Site To Site IPSec Tunnels To One ASA5510

Dec 4, 2012

Question on ASA VPN tunnels. I have one ASA 5510 in our corporate office, I have two subnets in our corporate office that are configured in the ASA in a Object group. I have a site to site IPSEC tunnel already up and that has been working. I am trying to set up another site to site IPSEC tunnel to a different location that will need to be setup to access the same two subnets. I'm not sure if this can be setup or not, I think I had a problem with setting up two tunnels that were trying to connect to the same subnet but that was between the same two ASA's. Anyways the new tunnel to a new site is not coming up and I want to make sure it is not the subnet issue. The current working tunnel is between two ASA 5510's, the new tunnel we are trying to build is between the ASA and a Sonicwall firewall.

Cisco VPN :: ASA5510 - Sample Configure VPN Site To Site On ASA 5512-x V.9.1

Mar 18, 2013

sample configer ASA 5512-x v.9.1 for VPN site to Site, i use to configure on ASA 5510 V.8.2 but on ver 9.1 i never configure. my is use that i dont know to how to configure nonat. i saw some configration as in the attach file they just to show configure VPN but we did not see nonot on command.

Cisco VPN :: Configure Site-to-site VPN Using 881 Router On End And Connecting To ASA5510?

Aug 22, 2011

I need to configure a site-to-site VPN using a Cisco 881 router on my end and connecting to an ASA5510 on my suppliers end.Our supplier has configured their end and I do not have access to their configuration.
They told us we have to NAT all inside address' to a single address ( as this is the only one they will let through their firewall/tunnel.I know how to set up the VPN but not too sure how to set up the NAT part.
My sanatized config is attached. The code I am using to NAT my inside network to the single address, and send all traffic accross the VPN tunnel as this address is correct? With the router running this config the VPN tunnel does not connect.

Cisco WAN :: Site-to-Site VPN ASA5510 - 887VA Dropping Every 20 Seconds

Asa Vpn Load Balancing Site To SiteApr 21, 2013

I have an issue with a site-to-site VPN tunnel between a ASA5510 and 887VA. I have two tunnels connected to the ASA and one seems to be affected where by the tunnel is disconnected and brought up around every 20 seconds. The tunnel is re-established instantly but this break in transmission is causing application issues.

Cisco VPN :: Site-to-site Vpn With Failover ASA5520

Sep 25, 2011

One local site where i have one ASA5520 . I have to create a site to site vpn with the remote site1 and site 2.vpn with site1 is primary and other is backup. local address on ASA is and on the remote site1 and site2 is have to make sure that if vpn with the site1 is active then the routing for should be towards vpn to site1. and if it goes down then failover to vpn2 to site 2.In case if the vpn1 to site1 comes up, the traffic should shift to VPN1 to site1.Access is from ASA5520 end client to the remote server.

Cisco VPN :: ASA5520 - Site-to-site VPN With ISP Failover

Apr 15, 2013

I am using the Cisco ASA 5520 with Software Version 8.2(3). I have several site-to-site VPN connections and two separate ISP connections. I have set up the SLA tracker for the dual ISP so that if one fails the other one takes over. But I don't know how to do the same for the site-to-site IPSec VPN tunnels. I have read a few discussions on the Cisco Support Community but I am really confused about what to do. I have two outside interfaces: outside and WAN2. I understand you can only apply the crypto to one interface so how would I make the change to allow the VPN to failover when the primary ISP were to fail?
Here is my configuration for the cryptos and SLA tracker:
crypto map outside_map 10 match address ACL_VPN_1
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer x.x.x.x x x.x.x.x
crypto map outside_map 10 set transform-set NAME_SET
crypto map outside_map 10 set security-association lifetime seconds 28800
crypto map outside_map 10 set security-association lifetime kilobytes 4608000(code)

Cisco VPN :: ASA 5510 / Failover For Site To Site VPN?

Nov 24, 2010

I have configured ISP failover on ASA 5510 its working fine, when Primary ISP fails, Traffic is shifting to secondary ISP. On the ASA i have configured Site to Site VPN its working fine on primary ISP, when failover happens to the secondry ISP. Site to Site VPN should work on the secondry ISP.

Cisco VPN :: ASA5510 Site To Site Tunnels Suddenly Goes One-way

May 15, 2011

I have a setup with a pair off ASA5510 on the central site, and approx 20 sites with ASA5505.A couple off network are configured as site to site tunnels to every remote site.Its very stable, but the last year or so ocassionally one of the tunnels go one-way.Just like one of the nat exeptions suddenly stops working.I can see the remote side transmitting packets, but no answer.Central site is running 8.22, want to upgrade but have to mount more RAM.The only cure i have found is to reboot the central pair off ASA5510, not very popular as all 20 tunnels goes down.

Cisco VPN :: Establish Site To Site VPN Between ASA5510 To 5520

Jul 26, 2011

I'm trying to establish site to site VPN between ASA5510 to ASA5520, scenario. [code] our Vendor said to nat the local network to specific ip and use that ip as local pool,here the configuration details [code] i create static nat but its doesn't work for me phase 1 is not up, how to create nat local network to

Cisco VPN :: Establishing Site-to-Site VPN Between ASA5510 And Fortigate1000A?

Feb 8, 2012

I am trying to establish a Site-to-Site VPN to our customer. I am using ASA5510 and the customer was using Fortigate 1000A. The problem that we're having was regarding the IKE Phase 2, I think!. Cisco debug information indicates 'All IPSec SA proposals found unacceptable!'

Cisco VPN :: ASA5510 / Site To Site Vpn Access Blocked?

Sep 4, 2012

Site To Site Vpn Service

I have two sites connected using ASA5510 version 6.4(5)
site A site B -- ASA -------internet ------------ASA --
From site A, i can vnc, rdp, telenet and ssh to site B, however from site B am not able to rdp, vnc telnet or ssh to site A (i can ping site A devices) guess am missing something in the policy but not sure if its in site A or Site B

Cisco VPN :: Site-to-Site VPN Between C2921 And ASA5510

Asa Vpn Load Balancing Site To SiteJun 25, 2012

I setup site to site VPN between C2921 (site A) and ASA 5510 (site B). I am having problems with SA being deleted:
1: I can alwasy initiate VPN connection from Site B to Site A.
2: after VPN tunnel is up and idle for a while, SA is dropped and I lost VPN connection from Site A to Site B.
3: to get the connection back, I have to ping Site A from Site B
4: when the connection is established, it works fine!

Cisco VPN :: ASA5510 Site-to-Site VPN Same LAN Subnets

Jan 21, 2013

I am setting up a VPN between my client and their owner, in order for the owner to access ressources at my clients site.Unfortunatly their owner already has an VPN connection to another site with the same subnet as the one on my clients site.I have setup a policy NAT to translate my clients internal LAN to a 'NAT' LAN, and i can ping from my clients LAN to their owners LAN, but their owner can not reach any ressources at my clients LAN.
My client has a ASA5510 with a base license, but their owner has their firewall and routing 'leased' or something like that, it actually was their ISP who configured the VPN settings. That means of course that i have very limited (no) access to the other site's firewall and I actually even dont know make and model of it.
And last but not least, the subnet the Owner needs to access is on my clients Core Switch and the ASA has an internal route to it.I have pasted in a interresting parts of the ASA config here below, the displayed subnets are not the real ones . [code]

Cisco WAN :: ASA5510- Site-to-site Using DNS Name

May 31, 2011

I have some home office setups that have s2s VPNs which terminate on my netscreen SSG5. I am moving off the SSG and onto an ASA5510 but not sure if or how I can make this work? The end users do not have static IPs at this point. I use dyn dns on their home routers to update their DHCP IPs from the providers. If they can't get static IPs how can I specify the peer ID with a DNS name rather than IP address?

Cisco VPN :: ASA 5520 - Load Balancing And Failover

Jul 25, 2011

We have two asa5520 configured as primary and standby unit in fail over configuration, and all is working properly. Is it possible, with this configuration (fail over), to configure vpn load balancing/clustering?

Cisco Routers :: RV042 Both Failover And Load Balancing?

Jan 27, 2012

We are looking at purchasing and RV042 soon and have one cruitcial question. I am looking at having two internet connections running into the RV042. The only load balancing is going to be that all the VOIP traffic will go through one connection (eg WAN2) and then have all other traffic (such as web and email) through WAN1.
I am looking to have it so that if one of the internet connections goes down then it will failover EVERYTHING to the one that is working so both the VOIP and all the other traffic share the same connection until both WANs then go back online.

Cisco WAN :: 1921 Dual ADSL Load Balancing / Failover?

Mar 28, 2011

We have purchased a Cisco 1921 with twin ADSL after advice from a Cisco sales rep. However I am having trouble working out the load balancing/fail over config for the device.
I would like traffic to balance over both ADSL lines and if one goes down not to interrupt connectivity.
I had a look at ppp multilink but I am unsure our ISP (BT) support this?
!! Last configuration change at 13:18:34 UTC Tue Mar 29 2011!version 15.0service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname xxxxxx

Cisco VPN :: ASA 5520 - Load Balancing With Active / Standby Failover

Jul 8, 2010

1) 2 x ASA 5520, running 8.2
2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces
3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration.
4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?
Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not
The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?

Cisco Security :: Load Balancing With ASA5510

Aug 29, 2011

We have an ASA5510 with two ADSL lines connected and the auto fail-over set up - this is all tested and if the main line fails, the backup line is used in it's place - no problem there.
However, I'd like to increase our connection speed, and one way I've done this in the past is to add a couple of extra ADSL lines to a router that is capable of load balancing.
I'm aware that the ASA5510 does not load balance (seems a waste as we've got the backup line just sitting there doing nothing!), but would it be feasible to add another router in front of the ASA device to perform this load balancing function?

Cisco VPN :: 5510 Site To Site VPN Access To Servers With Overlapped Remote Site

May 18, 2012

I have a requirement to create a site to site vpn tunnel on ASA 5510 from a remote site to my HO, ihave already other site-to-site tunnels are up and running on the ASA.The issue is my remote site has got the network address which falls in one of the subnet used in HO( requirement is only My remote site need to accees couple of my servers in HO which is in subnet.

DQ77BK - Hardware To Do Load Balancing / Failover With 2 Internet Connections?

Nov 29, 2012

I am going to use a DQ77BK motherboard, which does 'dual band' LAN. I have been told that with this, i can use two internet connections (from two different providers), so that when one fails, my computer still uses the other one. As you have understood, i need to be safetly connected to internet. I cannot have internet switched off in the middle of my work.
So, what do i need to do this ?
- Do i need 2 wifi cards, or would 1 'dual band' wifi card (like the Intel centrino 6200) be enough to handle it ?
- Do i need two antennas ?

Cisco Switching/Routing :: 1941 Auto Failover With Load Balancing?

Jan 27, 2013

One of our customer has 3 ISP Line, out of which Two are Broadband and One is Leased Line. All 3 ISP interfaces are Etherent.
Now, they want Auto Failover with Load balancing among these 3 ISP lines.
Can we do same implementation in Cisco 1941 Router?? What licenses required in router for same?

Cisco VPN :: 5520 Requirement To Terminate Site-to-site VPN From Remote Site

Jun 17, 2012

We have ordered a pair of Cisco ASA5520 (ASA5520-BUN-K9).Now there is a requirement to terminate site-to-site VPN from remote site. Do we need VPN plus licence for this and how much it cost?

Cisco VPN :: 877 / How To IPsec Site To Site Vpn Port Forwarding To Remote Site

Jun 13, 2012

The scenario where a Site to Site VPN tunnel has been established between Site A and Site B. Lan on Site A can ping Lan on Site B. My problem is a Printer behind Site B needs to be accessed by using the WAN IP address of Site A. Also i could not ping the remote lan or printer from the router.
Below are my configure on the Cisco 877 in site A.
Building configuration...
Current configuration : 5425 bytes
! Last configuration change at 15:09:21 PCTime Fri Jun 15 2012 by admin01
version 12.4
no service pad

Cisco VPN :: 5505 - Site To Site Connected But Cannot Ping Remote Site

Oct 11, 2011

cisco products and am struggling getting a VPN going between an ASA 5505 and 5510. I have a VPN created (using the VPN wizward on both) and it shows the VPN is up, but I can't ping the remote site (from either side).



Load balancing is the ability to have Cisco VPN Clients shared across multiple Adaptive Security Appliance (ASA) units without user intervention. Load-balancing ensures that the public IP address is highly available to users. For example, if the Cisco ASA that services the public IP address fails, another ASA in the cluster assumes the public IP address.



Ensure that you meet these requirements before you attempt this configuration:

  • You have assigned IP addresses on your ASAs and configured the default gateway.

  • IPsec is configured on the ASAs for the VPN Client users.

  • VPN users are able to connect to all ASAs with the use of their individually assigned public IP address.

Eligible Clients

Load balancing is effective only on remote sessions initiated with these clients:

  • Cisco VPN Client (release 3.0 or later)

  • Cisco VPN 3002 Hardware Client (release 3.5 or later)

  • CiscoASA 5505 when acting as an Easy VPN client

All other clients, including LAN-to-LAN connections, can connect to a security appliance on which load balancing is enabled, but they cannot participate in load balancing.

Components Used

The information in this document is based on these software and hardware versions:

  • VPN Client Software Releases 4.6 and later

  • Cisco ASA Software Releases 7.0.1 and later

    Note: Extends load balancing support to ASA 5510 and ASA models later than 5520 that have a Security Plus license with the 8.0(2) version.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Network Diagram

This document uses this network setup:


Refer to the Cisco Technical Tips Conventions for more information on document conventions.


  • VPN virtual cluster IP address, User Datagram Protocol (UDP) port, and shared secret must be identical on every device in the virtual cluster.

  • All devices in the virtual cluster must be on the same outside and inside IP subnets.


IP Address Assignment

Ensure that the IP addresses are configured on the outside and inside interfaces and you are able to get to the Internet from your ASA.

Note: Ensure that ISAKMP is enabled on both the inside and outside interface. Select Configuration > Features > VPN > IKE > Global Parameters in order to verify this.

Cluster Configuration

This procedure shows how to use the Cisco Adaptive Security Device Manager (ASDM) to configure load balancing.

Note: Many of the parameters in this example have default values.

  1. Select Configuration > Features > VPN > Load Balancing, and check Participate in Load Balancing Cluster to enable VPN load balancing.

  2. Complete these steps to configure the parameters for all ASAs participating in the cluster in the VPN Cluster Configuration group box:

    1. Type the IP address of the cluster in the Cluster IP Address text box.

    2. Click Enable IPSec Encryption.

    3. Type the encryption key in the IPSec Shared Secret text box and type it again in the Verify Secret text box.

  3. Configure the options in the VPN Server Configuration group box:

    1. Select an interface that accepts the incoming VPN connections in the Public list.

    2. Select an interface that is the private interface in the Private list.

    3. (Optional) Change the priority that the ASA has in the cluster in the Priority text box.

    4. Type an IP address for the Network Address Translation (NAT) Assigned IP Address if this device is behind a firewall that uses NAT.

  4. Repeat the steps on all the participating ASAs in the group.

The example in this section uses these CLI commands to configure load balancing:


Select Monitoring > Features > VPN > VPN Statistics > Cluster Loads to monitor the load balancing feature on the ASA.


Use this section to confirm that your configuration works properly.


The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.

  • show vpn load-balancing—Verifies the VPN load balancing feature.


Use this section to troubleshoot your configuration.

Troubleshooting Commands

Asa Vpn Load Balancing

The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.

Note: Refer to Important Information on Debug Commands before you use debug commands.

  • debug vpnlb 250—Used to troubleshoot the VPN load balancing feature.

Asa Vpn Load Balancing Site To Site Website

Related Information