Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
30-5
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
Understanding Cluster Load Balancing (ASA)
The role of virtual cluster master is not tied to a physical device—it can shift among devices. If a
machine in the cluster fails, the terminated sessions can immediately reconnect to the virtual cluster IP
address. The virtual cluster master then directs these connections to another active device in the cluster.
Should the virtual cluster master itself fail, a secondary device in the cluster immediately takes over as
the new virtual session master. Even if several devices in the cluster fail, users can continue to connect
to the cluster as long as any one device in the cluster is available.
Understanding Redirection Using a Fully Qualified Domain Name (FQDN)
By default, the ASA sends only IP addresses in load-balancing redirection to a client. If certificates are
in use that are based on DNS names, the certificates will be invalid when redirected to a secondary
device. As a VPN cluster master, this security appliance can send a fully qualified domain name (FQDN)
of a cluster device (another security appliance in the cluster) when redirecting VPN client connections
to that cluster device. The security appliance uses reverse DNS lookup to resolve the FQDN of the device
to its outside IP address to redirect connections and perform VPN load balancing. All outside and inside
network interfaces on the load-balancing devices in a cluster must be on the same IP network.
After you enable load balancing using FQDNs, add an entry for each of your ASA outside interfaces into
your DNS server, if such entries are not already present. Each ASA outside IP address should have a
DNS entry associated with it for lookups. These DNS entries must also be enabled for Reverse Lookup.
Enable DNS lookups on your ASA and define your DNS server IP address on the ASA.
For the procedure to configure cluster load balancing, see Configuring Cluster Load Balance Policies
(ASA), page 30-5.
Configuring Cluster Load Balance Policies (ASA)
Use the ASA Cluster Load Balance page to enable load balancing for an ASA device in your remote
access VPN. You must explicitly enable load balancing, as it is disabled by default. All devices that
participate in a cluster must share the same cluster-specific values: IP address, encryption settings,
encryption key, and port. For more information on cluster load balancing, see Understanding Cluster
Load Balancing (ASA), page 30-4.
Note Load balancing requires an active 3DES/AES license and an ASA Model 5510 with a Plus license or an
ASA Model 5520 or higher. The ASA device checks for the existence of this crypto license before
enabling load balancing. If it does not detect an active 3DES or AES license, the device prevents load
balancing, and also prevents internal configuration of 3DES by the load balancing system unless the
license permits this usage.
Step 1 Do one of the following:
(Device View) Select an ASA device; then select Remote Access VPN > ASA Cluster Load
Balance from the Policy selector.
(Policy View) Select Remote Access VPN > ASA Cluster Load Balance from the Policy Type
selector. Select an existing policy or create a new one.
The ASA Cluster Load Balance page opens.
Step 2 Select Participate in Load Balancing Cluster to indicate that the device belongs to a load-balancing
cluster.
Step 3 Configure the VPN Cluster Configuration options:
Cluster IP Address—Specify the single IP address that represents the entire virtual cluster. Choose
an IP address that is in the same subnet as the external interface.