VPN Load Balance over 2 Internet Pipes

Hello,

I always seem to have a ton of ASA questions, I really need to roll through the security exams. But, I was hoping some of you could lend me a hand on this.

I would like to load balance vpn connections over 2 asa's in different facilities. These 2 facilities are tied together with an MPLS connection. They have different global IPs so I'm not quite sure how I would do this.

I was thinking I could setup BGP at the 2 sites and have the ISPs load balance a single IP that the 2 ASA's share. But maybe I'm over thinking this.

Here's a rough diagram of the network I'm trying to accomplish this on.

Any ideas is greatly appreciated.

vpn loadbalance.jpg

Find more posts tagged with

Comments

shednik

If they were on the same subnet I'd say the internal load balancing feature would work just fine, but I'm assuming there are no L2 extensions between the two site since it's going over a providers MPLS network to use a single IP Subnet.

I can't think of a good way to load balance this, I'd be curious to see if anyone else has an idea though.

joe

cisco_trooper

I don't think you can load balance these. I believe you can provide failover with some of the later software versions on the ASA as long as you have an ASA on both ends, but I don't believe load balancing is an option. The firewall is building phase 1 and phase 2 SAs and building unidirectional SPIs for each flow. If you've got traffic going back and forth and that traffic were to be load balanced I think there would be invalid SPIs and the communication would fail. I might need to brush up on the guts of my L2L IPSec, but this is my initial thought.