Asa Vpn Load Balancing Site To Site


Internet ISP goes down at site 1: Internet traffic is rerouted to the next available route, which is my VPN ISP. VPN ISP goes down at site 1: VPN traffic is rerouted through back-up VPN over internet ISP. Site 2 shows no connectivity on primary VPN and reroutes VPN traffic through back-up VPN. Might I add that site 1 also has redundant ASA's. VPN load balancing is a mechanism that is used in order to equitably distribute network traffic among the devices in a virtual cluster. Load balancing is based on simple distribution; it does not take in to account throughput utilization or other factors. Hi Mark, It sounds like your ASA isn’t configured correctly for NAT. It should be configured to translate all traffic from the subnet that exits the outside interface UNLESS the destination is (the other end of the VPN). Shop for Best Price Vpn Load Balancing Asa And Cisco Asa Site To Site Vpn Redundancy. All other VPN connection types (L2TP, PPTP, L2TP/IPsec), including LAN-to-LAN, can connect to an ASA on which VPN load balancing is enabled, but they cannot participate in VPN load balancing. When multiple ASA nodes are grouped for load balancing, and using Group URLs is desired for AnyConnect client connections, the individual ASA nodes must.

A common SSL or IPSEC VPN configuration scenario is one like we’ve shown in the (simplistic) diagram below. A corporate office has two incoming ISP connections, each with their own range of IP addresses. Clients or sites have VPN connections to the corporate office to access back-office devices in the LAN. The problem arises when the primary router or ISP goes offline. VPN tunnels that are configured using a DNS name don’t fail over until DNS is updated, which is something our DNS Failover solution can nicely solve. But what about connections that rely on static IP addresses. I know Cisco ASA point-to-point VPNs require a fixed IP address, which is not uncommon amongst VPN hardware vendors. So what do you do in that case?

Total Uptime Cloud Load Balancing can help in this situation too. We can step into the middle, between the client and your public facing Internet connections in order to provide something almost equal to a VPN cloud. The image below explains how this works pretty quickly. Because you’re given a static IP in our cloud, all VPN clients and tunnels use this as the VPN end-point. When we receive the traffic we simply proxy it over to the currently active IP address associated with your router or firewall, or if desired and capable, we evenly distribute incoming connections between the two ISPs. When the IP fails to respond based on the monitoring you specify, we automatically stop sending traffic to that link. Of course, this results in a disconnect for the clients traversing that VPN tunnel, but the tunnel is quickly reestablished within a matter of seconds.

Consider another scenario – a typical configuration where a larger organization has two offices. Each office has their own firewall and VPN appliance for clients and other sites to connect. Additionally, each office is connected to the other by a private line. In this scenario, Total Uptime can also distribute VPN client connections to each office’s VPN appliance so when one ISP link goes down, VPN tunnels will reestablish through the remaining office. Because the two offices are interconnected via a private line, the clients can still connect to the LAN.

Of course, there really is no limitation to the different configuration possibilities. We can route traffic to 1, 2, 3 or a dozen different servers or devices. We can route any TCP or UDP port you’ll ever need and have successfully worked with almost any type of connection from DSL and Cable to T1 lines and more. Plus, it doesn’t matter where the connections are located around the world. We probably have a cloud node somewhere nearby. These are merely ideas that we’ve helped clients configure time and again. If you have a unique situation that could use some redundancy and uptime improvement, reach out to us! We’re happy to discuss all of the possibilities to determine if there is a way we can help your organization.

Similar Messages:

Cisco VPN :: ASA5510 - Site To Site With Dynamic IP In One Site

Jan 27, 2012

i want configure VPN between backoffice which have ASA5510 firewall with static IP and site which have cisco router 1861 with dynamic IP.
how i can configure the site to site between them?

Cisco VPN :: ASA 5510 - ISP Site To Site Failover With Single Remote Peer Address

Apr 16, 2011

I have a ASA 5510 actve/standby and create one site to site VPN with remote peer ip address xx.xx.xx.xx, Our VPN traffic running on 6 mb internet link for video conferancing traffic.Now client give another link 2 mb internet and client told to us our data traffic runnig on 2 mb link but this data traffic running on the same remote peer IP xx.xx.xx.xx.
Secondly request also they need failover over the ISP link.
how we immplement the same on ASA 5510.

Cisco VPN :: Site-to-site Failover On ASA 5520 / 3945 Routers

Jan 23, 2012

I am building a site to site VPN from our headquarters to a customer. I am using an ASA 5520. The customer is using Cisco 3945 routers. The customer has two VPN termination points. The customer requests that we make one of their termination points the primary VPN connection and make the other termination point the backup in the event that the primary VPN fails. How do I configure this on the ASA? Does the below configuration fulfill this goal?

Cisco VPN :: ASA 5520 / Site To Site Failover VPN Connection And Routing?

Apr 8, 2013

We have 3 sites, with a Cisco ASA 5520 at each location.
HQ (Headquarters) internal network:,
DR (Disaster Recovery) internal network:
BO (Branch Office) internal network:
HQ and DR have a 100Mbps permanent MPLS link between each other.Branch Office has a Site 2 Site VPN connection to HQ. If it fails, it establishes a Site 2 Site VPN connection to DR. This works perfectly.Now the routing issue... There is no route to the BO in the routing table at HQ/DR. The default gateway is used to reach the BO and that works for HQ when the VPN is between HQ/BO. If the VPN fails over to DR/BO, HQ can't reach BO anymore.I need to have some kind of conditional route injection from the ASA where the VPN is established. I was considering a tracked static route, but I was wondering if the S2S VPN itself has a functionality to do so. I thought the Reverse Route Injection was it but it's enabled on our crypto map and doesn't seem to work...

Cisco Firewall :: 5510 Site-to-Site VPN Failover

Mar 15, 2011

I configured ASA 5510 using dual ISP( Failover). Now my ASA working fine. Here my problem is My ASA 5510 configured for Site to Site VPN also.How my VPN switch to Secondary ISP automatically when primary ISP fails.

Cisco VPN :: Reverse Route Injection On ASA5510 Site-to-site

Jul 29, 2011

We have two ASA5510's connected to two different ISP's and both able to initiate a site-site IPsec connection to a remote site. Depending on the state of the ISP's either ASA may initiate this VPN.We use Reverse Route Injection into OSPF for VPN clients and it works fine with the route being distributed when a client connects and disappearing when there are no clients.So we thought we'd try it for our site-site VPN's. Unfortunately when we enable Reverse Route Injection the routes are distributed regardless of whether the VPN is up or not, so if one ASA has initiated a VPN it's reverse route is distributed (which is what we want) but the other ASA also distributes a route for it's non-existent VPN. The result is that our gateway routers see two OSPF routes and can't ascertain which route is actually up.
Is there any way to distribute the route using Reverse Route Injection (or any other method) only when a site-site VPN is actually up? For various reasons we can't use BGP or other gateway routing protocols.Our ASA5510 are currently running IOS 8.2(1)

Cisco VPN :: Network-access Between ASA5505 And ASA5510 (site-to-site)

May 9, 2011

we set up a site-to-site-vpn between a 5505 and a 5510 (both asa8.3.1). We configured both sides using the VPN-Wizard in the ASDM. When we try to ping from the network behind the 5505 ( to any host behind the 5510 ( the tunnel gets established but the ping doesn't get trough. After that we tried to connect via RDP to any host behind the 5510 and it worked well (same with ssh, telnet,vnc etc.). Now we want to map a network-share on a 2008-Server behind the 5510 but it's not working. In the ASDM-Log I see some 'denied by inside-access in'-messages for the ports 139 and 445. Isn't it right that the whole traffic in the vpn-tunnel bypasses the acl? Even if we open both ports we can't connect to the network-share?

Cisco VPN :: Multiple Site To Site IPSec Tunnels To One ASA5510

Dec 4, 2012

Question on ASA VPN tunnels. I have one ASA 5510 in our corporate office, I have two subnets in our corporate office that are configured in the ASA in a Object group. I have a site to site IPSEC tunnel already up and that has been working. I am trying to set up another site to site IPSEC tunnel to a different location that will need to be setup to access the same two subnets. I'm not sure if this can be setup or not, I think I had a problem with setting up two tunnels that were trying to connect to the same subnet but that was between the same two ASA's. Anyways the new tunnel to a new site is not coming up and I want to make sure it is not the subnet issue. The current working tunnel is between two ASA 5510's, the new tunnel we are trying to build is between the ASA and a Sonicwall firewall.

Cisco VPN :: ASA5510 - Sample Configure VPN Site To Site On ASA 5512-x V.9.1

Mar 18, 2013

sample configer ASA 5512-x v.9.1 for VPN site to Site, i use to configure on ASA 5510 V.8.2 but on ver 9.1 i never configure. my is use that i dont know to how to configure nonat. i saw some configration as in the attach file they just to show configure VPN but we did not see nonot on command.

Cisco VPN :: Configure Site-to-site VPN Using 881 Router On End And Connecting To ASA5510?

Aug 22, 2011

I need to configure a site-to-site VPN using a Cisco 881 router on my end and connecting to an ASA5510 on my suppliers end.Our supplier has configured their end and I do not have access to their configuration.
They told us we have to NAT all inside address' to a single address ( as this is the only one they will let through their firewall/tunnel.I know how to set up the VPN but not too sure how to set up the NAT part.
My sanatized config is attached. The code I am using to NAT my inside network to the single address, and send all traffic accross the VPN tunnel as this address is correct? With the router running this config the VPN tunnel does not connect.

Cisco WAN :: Site-to-Site VPN ASA5510 - 887VA Dropping Every 20 Seconds

Apr 21, 2013

I have an issue with a site-to-site VPN tunnel between a ASA5510 and 887VA. I have two tunnels connected to the ASA and one seems to be affected where by the tunnel is disconnected and brought up around every 20 seconds. The tunnel is re-established instantly but this break in transmission is causing application issues.

Cisco VPN :: Site-to-site Vpn With Failover ASA5520

Sep 25, 2011

One local site where i have one ASA5520 . I have to create a site to site vpn with the remote site1 and site 2.vpn with site1 is primary and other is backup. local address on ASA is and on the remote site1 and site2 is have to make sure that if vpn with the site1 is active then the routing for should be towards vpn to site1. and if it goes down then failover to vpn2 to site 2.In case if the vpn1 to site1 comes up, the traffic should shift to VPN1 to site1.Access is from ASA5520 end client to the remote server.

Cisco VPN :: ASA5520 - Site-to-site VPN With ISP Failover

Apr 15, 2013

I am using the Cisco ASA 5520 with Software Version 8.2(3). I have several site-to-site VPN connections and two separate ISP connections. I have set up the SLA tracker for the dual ISP so that if one fails the other one takes over. But I don't know how to do the same for the site-to-site IPSec VPN tunnels. I have read a few discussions on the Cisco Support Community but I am really confused about what to do. I have two outside interfaces: outside and WAN2. I understand you can only apply the crypto to one interface so how would I make the change to allow the VPN to failover when the primary ISP were to fail?
Here is my configuration for the cryptos and SLA tracker:
crypto map outside_map 10 match address ACL_VPN_1
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer x.x.x.x x x.x.x.x
crypto map outside_map 10 set transform-set NAME_SET
crypto map outside_map 10 set security-association lifetime seconds 28800
crypto map outside_map 10 set security-association lifetime kilobytes 4608000(code)

Cisco VPN :: ASA 5510 / Failover For Site To Site VPN?

Nov 24, 2010

I have configured ISP failover on ASA 5510 its working fine, when Primary ISP fails, Traffic is shifting to secondary ISP. On the ASA i have configured Site to Site VPN its working fine on primary ISP, when failover happens to the secondry ISP. Site to Site VPN should work on the secondry ISP.

Cisco VPN :: ASA5510 Site To Site Tunnels Suddenly Goes One-way

May 15, 2011

I have a setup with a pair off ASA5510 on the central site, and approx 20 sites with ASA5505.A couple off network are configured as site to site tunnels to every remote site.Its very stable, but the last year or so ocassionally one of the tunnels go one-way.Just like one of the nat exeptions suddenly stops working.I can see the remote side transmitting packets, but no answer.Central site is running 8.22, want to upgrade but have to mount more RAM.The only cure i have found is to reboot the central pair off ASA5510, not very popular as all 20 tunnels goes down.

Cisco VPN :: Establish Site To Site VPN Between ASA5510 To 5520

Jul 26, 2011

I'm trying to establish site to site VPN between ASA5510 to ASA5520, scenario. [code] our Vendor said to nat the local network to specific ip and use that ip as local pool,here the configuration details [code] i create static nat but its doesn't work for me phase 1 is not up, how to create nat local network to

Cisco VPN :: Establishing Site-to-Site VPN Between ASA5510 And Fortigate1000A?

Feb 8, 2012

I am trying to establish a Site-to-Site VPN to our customer. I am using ASA5510 and the customer was using Fortigate 1000A. The problem that we're having was regarding the IKE Phase 2, I think!. Cisco debug information indicates 'All IPSec SA proposals found unacceptable!'

Cisco VPN :: ASA5510 / Site To Site Vpn Access Blocked?

Sep 4, 2012

I have two sites connected using ASA5510 version 6.4(5)
site A site B -- ASA -------internet ------------ASA --
From site A, i can vnc, rdp, telenet and ssh to site B, however from site B am not able to rdp, vnc telnet or ssh to site A (i can ping site A devices) guess am missing something in the policy but not sure if its in site A or Site B

Cisco VPN :: Site-to-Site VPN Between C2921 And ASA5510

Jun 25, 2012

I setup site to site VPN between C2921 (site A) and ASA 5510 (site B). I am having problems with SA being deleted:
1: I can alwasy initiate VPN connection from Site B to Site A.
2: after VPN tunnel is up and idle for a while, SA is dropped and I lost VPN connection from Site A to Site B.
3: to get the connection back, I have to ping Site A from Site B
4: when the connection is established, it works fine!

Cisco VPN :: ASA5510 Site-to-Site VPN Same LAN Subnets

Jan 21, 2013

I am setting up a VPN between my client and their owner, in order for the owner to access ressources at my clients site.Unfortunatly their owner already has an VPN connection to another site with the same subnet as the one on my clients site.I have setup a policy NAT to translate my clients internal LAN to a 'NAT' LAN, and i can ping from my clients LAN to their owners LAN, but their owner can not reach any ressources at my clients LAN.
My client has a ASA5510 with a base license, but their owner has their firewall and routing 'leased' or something like that, it actually was their ISP who configured the VPN settings. That means of course that i have very limited (no) access to the other site's firewall and I actually even dont know make and model of it.
And last but not least, the subnet the Owner needs to access is on my clients Core Switch and the ASA has an internal route to it.I have pasted in a interresting parts of the ASA config here below, the displayed subnets are not the real ones . [code]

Cisco WAN :: ASA5510- Site-to-site Using DNS Name

Asa Vpn Load Balancing Site To Siteground

VpnMay 31, 2011

I have some home office setups that have s2s VPNs which terminate on my netscreen SSG5. I am moving off the SSG and onto an ASA5510 but not sure if or how I can make this work? The end users do not have static IPs at this point. I use dyn dns on their home routers to update their DHCP IPs from the providers. If they can't get static IPs how can I specify the peer ID with a DNS name rather than IP address?

Cisco VPN :: ASA 5520 - Load Balancing And Failover

Jul 25, 2011

We have two asa5520 configured as primary and standby unit in fail over configuration, and all is working properly. Is it possible, with this configuration (fail over), to configure vpn load balancing/clustering?

Cisco Routers :: RV042 Both Failover And Load Balancing?

Jan 27, 2012

We are looking at purchasing and RV042 soon and have one cruitcial question. I am looking at having two internet connections running into the RV042. The only load balancing is going to be that all the VOIP traffic will go through one connection (eg WAN2) and then have all other traffic (such as web and email) through WAN1.
I am looking to have it so that if one of the internet connections goes down then it will failover EVERYTHING to the one that is working so both the VOIP and all the other traffic share the same connection until both WANs then go back online.

Cisco WAN :: 1921 Dual ADSL Load Balancing / Failover?

Mar 28, 2011

We have purchased a Cisco 1921 with twin ADSL after advice from a Cisco sales rep. However I am having trouble working out the load balancing/fail over config for the device.
I would like traffic to balance over both ADSL lines and if one goes down not to interrupt connectivity.
I had a look at ppp multilink but I am unsure our ISP (BT) support this?
!! Last configuration change at 13:18:34 UTC Tue Mar 29 2011!version 15.0service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname xxxxxx

Cisco VPN :: ASA 5520 - Load Balancing With Active / Standby Failover

Jul 8, 2010

1) 2 x ASA 5520, running 8.2
2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces
3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration.
4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?
Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not
The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?

Cisco Security :: Load Balancing With ASA5510

Aug 29, 2011

We have an ASA5510 with two ADSL lines connected and the auto fail-over set up - this is all tested and if the main line fails, the backup line is used in it's place - no problem there.
However, I'd like to increase our connection speed, and one way I've done this in the past is to add a couple of extra ADSL lines to a router that is capable of load balancing.
I'm aware that the ASA5510 does not load balance (seems a waste as we've got the backup line just sitting there doing nothing!), but would it be feasible to add another router in front of the ASA device to perform this load balancing function?

Cisco VPN :: 5510 Site To Site VPN Access To Servers With Overlapped Remote Site

May 18, 2012

I have a requirement to create a site to site vpn tunnel on ASA 5510 from a remote site to my HO, ihave already other site-to-site tunnels are up and running on the ASA.The issue is my remote site has got the network address which falls in one of the subnet used in HO( requirement is only My remote site need to accees couple of my servers in HO which is in subnet.

DQ77BK - Hardware To Do Load Balancing / Failover With 2 Internet Connections?

Nov 29, 2012

Site To Site Vpn Service

I am going to use a DQ77BK motherboard, which does 'dual band' LAN. I have been told that with this, i can use two internet connections (from two different providers), so that when one fails, my computer still uses the other one. As you have understood, i need to be safetly connected to internet. I cannot have internet switched off in the middle of my work.
So, what do i need to do this ?
- Do i need 2 wifi cards, or would 1 'dual band' wifi card (like the Intel centrino 6200) be enough to handle it ?
- Do i need two antennas ?

Cisco Switching/Routing :: 1941 Auto Failover With Load Balancing?

Jan 27, 2013

One of our customer has 3 ISP Line, out of which Two are Broadband and One is Leased Line. All 3 ISP interfaces are Etherent.
Now, they want Auto Failover with Load balancing among these 3 ISP lines.
Can we do same implementation in Cisco 1941 Router?? What licenses required in router for same?

Asa Vpn Load Balancing

Cisco VPN :: 5520 Requirement To Terminate Site-to-site VPN From Remote Site

Cisco Asa Vpn Load Balancing

Jun 17, 2012

Cisco Vpn Site To Site

We have ordered a pair of Cisco ASA5520 (ASA5520-BUN-K9).Now there is a requirement to terminate site-to-site VPN from remote site. Do we need VPN plus licence for this and how much it cost?

Cisco VPN :: 877 / How To IPsec Site To Site Vpn Port Forwarding To Remote Site

Jun 13, 2012

The scenario where a Site to Site VPN tunnel has been established between Site A and Site B. Lan on Site A can ping Lan on Site B. My problem is a Printer behind Site B needs to be accessed by using the WAN IP address of Site A. Also i could not ping the remote lan or printer from the router.
Below are my configure on the Cisco 877 in site A.
Building configuration...
Current configuration : 5425 bytes
! Last configuration change at 15:09:21 PCTime Fri Jun 15 2012 by admin01
version 12.4
no service pad

Cisco VPN :: 5505 - Site To Site Connected But Cannot Ping Remote Site

Oct 11, 2011

cisco products and am struggling getting a VPN going between an ASA 5505 and 5510. I have a VPN created (using the VPN wizward on both) and it shows the VPN is up, but I can't ping the remote site (from either side).