VPN Load balancing

VNP Load balancing can be helpful in utilizing resource of two VPN appliances. Say, if we have licenses distributed or bound to two devices and we need to combine them together, so that we can utilize the license to fullest.

Navigate to Configurations -> Remote Access VPN -> Load Balancing and configure it with parameters as mentioned below.

For VPN Load balancing, we will need three public IPs; two for physical interface and one for virtual IP. IPsec password is configured so that the communication between the peer can happen in an encrypted format.

As AnyConnect is basically on https, when performing certificate verification for load balancing with AnyConnect, and the connection is redirected by an IP address, the client does all of its name checking through this IP address. The customer needs to make sure that this IP address is listed in the certificates common name or the subject alt name. If the IP address is not present in these fields, then the certificate will be deemed untrusted. We also need to enable “Send FQDN to client instead of IP address”.

In the VPN Server Configuration, we have option to set priority for a device. The device with higher priority will act as the Master device and will load-balance the traffic. Configure the other ASA box with same IPsec pre-shrared key.

If the Master becomes unavailable for any reason, the secondary will take over as the master till the peer comes back online.

We can check the VPN load balancing with the below command:-

ASA# show vpn load-balancing