ASA Vpn load balancing and failover

Similar Questions

• Network [vSphere 4.1] load balancing and failover vMotion

  GoodMorning everyone.

  I have some doubts about the configuration of the network for vMotion in vSphere 4.1

  I know that I can activate a single portgroup VMkernel for vMotion on the single host, but can I have this portgroup in a vSwitch with two or more physical NIC attached.

  Currently, I managed to have a vSwtich with vMotion and management of trade wth two NICs (see attachment).

  Both NICs works very well with the recovery for both exchanges.

  I would switch to a vSwitch with multiple network cards and I have some doubts.

  It seems that I could configure it... but the load balancer for vMotion supported on vSphere 4.1?

  And also, have the protgroup of vMotion in a switch with several network cards, is there a way to check what physical nic is currently used by vMotion?

  I am currently under a license from the company.

  Thank you all for your help.

  vMotion for vSphere pre 5 does not support Multi-NIC, in vSphere 5, you can configure several VMKernel enable vMotion and select different Nic Active and load balance between the two vmnic, but unfortunately not in vSphere 4.x

  For the management of ESXi, if you set active on both network adapters, you not to cross any active advantage / standby because it will only use on vmNIC, unless there is still a failure... but 1 vmNIC just because bandwidth is usually not a problem for the ESXi management only.

  So the answer: upgrade to vSphere 5 for multi-nic vMotion and don't worry ESXi management as an active NETWORK card is more than enough bandwidth,.

  Here's a YouTube on the Multi-NIC vMotion http://www.youtube.com/watch?v=7njBRF2N0Z8 configuration

• VPN load balancing

  Hello

  for Concentrators VPN load-balancing, a similar configuration must be to both devices. The master of the cluster config VPN concentrator push. for other members of the cluster, or must be manually?

  Thanks in advance

  Hi Abu Alqader,

  The decision to use load balancing or VRRP is a lot depends on your VPN environment.

  Personally, I think that load balancing is good/ideal if you have a lot of clients VPN, for example > 500 users. With 2 VPN3K of load balancing, you can share VPN connectivity between the boxes and will not weigh 1 VPN unit at any time. Also, if one of these boxes is down, affected vpn clients can still connect to the other device. But you must configure the VPN backup server in all the software VPN Client to achieve configuration.

  VRRP, however, has its own advantages. If the primary VPN device, all VPN Clients can still connect to a 1 modem router VPN, VRRP, allowing practically to the backup device to inherit/use primary/active VPN public IP (as the gateway). With regard to non max users, VRRP probably appropriate for the low-end model like 3005 (IPsec-200/50 clientless) & 3015 (IPSec 100/75 without client).

  http://www.Cisco.com/en/us/partner/products/HW/vpndevc/ps2284/products_data_sheet09186a00801d3b56.html

  However, the final decision depends on what option you feel better suite your environment. There is no right or wrong.

  Pls rate if find you this post will help you.

  Rgds,

  AK

• PIX / ASA - OSPF load balancing

  Hello

  I read the balance a route via OSPF equal cost load the PIX. It will send packages via per package, or is there another method for distibuting the traffic to the break following equal cost?

  Thank you!!

  Lee

  Hello Lawrence,.

  PIX 6.3 now supports the NLB using OSPF only (up to 3 default routes)

  The PIX can receive up to 3 doors by default (all the same metric) 3 different routes of entry, and

  balance the load on a per destination basis. Currently, there is no way the PIX to

  determine which carries a package will be sent to. You cannot currently use static routes

  for load balancing.

  The used hash algorithm is not simple, it is very difficult to determine which

  Route (next hop) a package will be given an IP Source and Destination pair. Basically,.

  the PIX takes the source and destination IPs (two 32-bit numbers) and axe in one

  16-bit unique number. Then the number of 16-bit (0x0000 - 0xFFFF) is divided into thirds.

  The first 1/3 goes to the door of entry 1, the next 1/3 goes to the door of entry 2, and the last 1/3 goes to

  Gateway 3.

  I hope this helps! If Yes, please rate.

  Thank you

• Load balancer and the consolidation of NETWORK cards

  Hello

  We recently had to our file VMware Server after a bit nasty failure of his original material.  Since we moved, it mostly worked OK, but we don't get the occational network shares paw when large files are thrown on.

  ESXi host, sure it works use 5Gbit ethernet adapters on the same Virtual Switch.  Looking at the traffic it would seem that all traffic flows in just a single NETWORK adapter and it is not much at all through the others.  Is something that I need to set it up so that it can better load balance between network cards?  Or is it a document anywhere who recommended settings for multiple network cards?

  I found a vDS topic but we have not undertaken more liciencing on most of our servers.

  We run VSphere 4.1 via the Vcentre server.

  Thanks for the help.

  faster4233 wrote:

  What you say makes a little more sense on what I see.  There is very little traffic flowing through other NETWORK cards, but is perhaps because there isn't any real traffic goes to them.  I thought that VMware may use multiple NICs, if it was required that is why I thought I'd see more data on the other.

  Curiosity is anyway that I can combine NICs for more flow using VMware?

  The load balancing, you can achieve with VMware is not a "real" load balancing, this is more a static distribution of traffic in accordance with the policy, you have chosen.

  You use means that according to the virtual switch port ID the vNIC to the host is connected to a specific bear is chosen. This unique vNIC traffic will use this bear as long as this bear does not fail. In this case the guests more with vNIC, you have the better are used Teddy.

  Other policies can be better for other scenarios. For example, 'Hash IP' uses the source IP address and target to choose a teddy bear. It is a good policy for a server with a vNIC single file and many different communication partners. The 'Source Port' policy route all traffic through a teddy bear so that 'Hash IP' policy would use many Teddy as not what ID port is used, but the communications partners. And a file server must have many of them, more than it has of vNIC.

  AWo

  VCP 3 & 4

  \[:o]===\[o:]

  = You want to have this ad as a ringtone on your mobile phone? =

  = Send 'Assignment' to 911 for only $999999,99! =

• Difference between the Port ID of the load balancer and MAC?

  There are three strategies for load balancing in 4.0 (one more now in 4.1):

  Function hash IP route

  Route based on the originating Virtual Port ID

  Route in function interference source to the MAC

  I think that I understand perfectly the "IP hash" and how it relates to switches, but what really is the difference between 'source MAC' and 'Port ID'?

  They seems both to do something very similar, which is attached a VM to a physical network card. Why someone should choose the CBC MAC and why the Port-ID? Is there a difference in the way that traffic will extend that could be interesting, when you do a design?

  Hello.

  To simplify, to really all boils down to the formula used to distribute traffic natachasery.

  "Discover Ken Cline" [the great vSwitch debate - part 3 | http://kensvirtualreality.wordpress.com/2009/04/05/The-Great-vswitch-Debate%E2%80%93part-3/] "for many more details on each option works.

  Good luck!

• ASA 8.3 - WebVPN and failover (Act/Stby)

  In the old version of the code that WebVPN wasn't a feature supported on the SAA, however to 8.x and specifically the 8.3 the note rel attribute is no longer the list as a feature not supported - means that WebVPN is fully supported by failover (Act/Stby) 8.3?

  I can see on my pair of failover Act/Stby 8.3 "CLI" basic config WebVPN to replicate as you can imagine, but I don't see that the config file (used in train 8.x) XML for things such as customizing portal or bookmarks according to the ASA ensures.

  I see the config XML based file WebVPN using ASDM, ASA-related intelligence and it eventualy expires when you try to browse the portal customization or bookmarks.

  The config XML based file WebVPN get reproduced in a failover pair?

  or if not how the contents of the box?

  Thank you

  SEZ

  According to the following document, it states that:

  "In Version 8.0 and later, some elements of the configuration for WebVPN (such as bookmarks and personalization) use VPN failover subsystem, which is part of Failover Stateful." You use Stateful Failover to synchronize these items among members of the failover pair. Stateless (regular) failover is not recommended for WebVPN. »

  http://www.Cisco.com/en/us/docs/security/ASA/asa83/configuration/guide/ha_overview.html#wp1078936

  If you have enabled dynamic failover, and bookmarks and personalization for webvpn Portal is not always replicated to forward, I suggest that you open a TAC case in order to study the question.

• Can this load balance and HA cluster with vsphere?

  Hello community!

  Really new on this type of subject, so forgive me if IAM iam do or say something wrong. I'm here to try to understand better this amazing tool so I apreciate your time and knowlodge!
  Im trying to create a failover and balancing cluster with Vsphere, the goal is try to install an MSSQL DB server where the customer can access more quickly and do not have downtime when a node is down.

  I read a lot but still I can't have a full understand abt, so if anyone tries to explain something, please be patient and explain with precision.

  All doing wrong if you really work at home as a LABORATORY, and I can do it, hurt trying to use it to get a job because I don't have and I really need one soon!
  Here is my diagram is possible?

  

  Well ill to explain it, I have clients that will send a work for my DB load process, which will affect on MSSQL Server installed on the 12 TB logical drive created from the union of all methods virtual storage. Each virtual storage is just a virtual disk created on a virtual machine that is hosted on the physical server (node).

  So I have 4 physical server which have 1 VM each with 3 TB of virtual disk, the goal is the customer can send the process of workload on 4 nodes to have a quicker response, and if a single node fails for any reason, the other node can operate withow problem.

  physical server Medley: don't know yet if I have to use one or install VMWARE directly.

  Sagna VM: Windows Server 2008 (don't know if necessary or if I can just install SQL Server directly)

  MSSQL Server VM: 2008 Enterprise (still don't know if I have to use this one)

  Well I can't think right now on the other details, but if you tell me ill be happy to write it.

  Sorry if my writing or semantics is false but English is not my first language.

  Really thanks to get to this point and share your knowlodge!

  Best regards, josh of Argentina!

  Josh, please correct me if I'm wrong, you have 4 knots of MS - SQL, and you need to read/write at the same time in a shared database of 12 to.

  If this is the case check the following documents:

  VMware KB: MSCS support improvements in vSphere 5.5

  http://KB.VMware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalID=1004617

  http://KB.VMware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalID=1034165

  Clustering using VMDK sharing between virtual machines

  http://KB.VMware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalID=2009226

  https://www.VMware.com/PDF/vsphere5/R55/vSphere-55-configuration-maximums.PDF

  http://KB.VMware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalID=2003813

  The above covers the part of the diagram which includes 4 nodes SQL and the shared database, the other part of the client to the SQL nodes that segments the loads on the nodes, I think you should see Microsoft options.

  I found a few relevant links below:

  https://ask.SQLServerCentral.com/questions/51824/cluster-with-more-than-2-nodes.htm l

  SQL server 2008 r2: how? Several active node SQL Cluster (not) - database to stack Exchange administrators

• ASA VPN with ISE and different backends WBS for authentication

  Hello

  I have an AAA-problem I hope to have a few problems help.

  The problem ultimately is: how the ASA via ISE send Radius Access requests to different given OTP backends provided a connection to a certain group of Tunnel.

  BACKGROUND:

  I'll try to give you a brief picture of the scenario, this is what I currently have.

  A VPN system (ASA 8.4 (4)) where I let my users to choose among 3 different methods of authentication being

  (1) certificate (on chip card)

  (2) token - token of the OTP (One Time Password provided via the smartphone application: using pledge of Nordic OTP-Edge transport server)

  (3) SMS - OTP token (Nordic OTP - Edge transport server SMS OTP)

  The choice corresponds to different groups of profiles/Tunnel connection.

  Today, all authentication requests go directly to the OTP server and authorization goes directly to the AD via LDAP.

  THE PROBLEM:

  The problem occurs when I try to put in the ISE in the mixture.

  What I obviously (?) would like to do is have all the network authentication/authorization to go through my ISE platform to take advantage of a centralized administration, monitoring etc.

  Again I would need to use data bases different backend such as AD and Nordic OTP - Edge server, but then mandated by ISE.

  For me to be able to know what back-end AAA to the proxy system, to somehow be able to distinguish the incoming Radius Access-requests.

  WHAT WE CALL:

  At the time of the ASA 8.4.3 Radius access request contains 2 new attributes, the name of Group of Tunnel and the Type of customer, when a VPN user connects.

  http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/ref_extserver.html#wp1802187

  QUESTION:

  The seams, that I can achieve what I want by looking at the access request attribute Radius "Tunnel Group Name" and forward my request to different backends OTP for the authentication part therefore in theory. But, how do I actually go ahead and set that up in ISE?

  I don't see this attribute when I look at the details of Radius Authentication for an authentication AAA of the ASA at the ISE.

  Best regards

  / Mattias

  I think you can hit the following problem:

  CSCtz49846: ISE does not match the condition with VPN 146 Tunnel-Group-Name attribute

  This issue is not specific to this attribute, as shown in the solution shown in the accompanying note

  Workaround

  Ensure that the attribute name does not include a '.' character. This also applies to some of the existing attributes in the dictionary of Cisco-VPN300. Attribute names should be changed so that they do not include a "." character.

• Load balancing and replication between two ESX servers

  This point is covered in another post last month, but I want to assure you that I am

  erase before ordering anything.  We run a VMware

  Server (ESX Server 3.5 Enterprise version).  I have about 12 VM

  running on the server. The server is connected to via fiber channel to

  a Clariion drive Bay.  We backup each virtual computer inside the virtual machine, not outside in

  it.

  I want to buy an additional VMware Server which

  provide redundancy. The second server VMware will also point the

  Bay of same discs (shared storage).  It will store some VM as well.

  What

  I want to do is to have two servers balance between them.

  Also, I want that there return replication while is a server

  Dies, it will be responsible for all virtual machines.

  What I have

  read, we need to use a combination of VMware HA, DRS and VMotion to make

  all it - OK?  I intend to buy another license of the VI3 enterprise as well as a permit for VirtualCenter Foundation.  Finally, if I have company for both servers ESX licenses and

  VirtualCenter, which gives me VMware HA, DRS and VMotion

  capacity?  I appreciate any guidance on this.

  I don't think you can automatically load the balance between the two boxes.   the shared storage ensures guests / VM have the current data available.  No actual replication necessary.

  Just take your Hardest hit of VM and split them between the two hosts.

  On VMotion?  It is much easier to run just a host with a failure to another identical host.    I have not attemptied it in any other way quite a few facilities.   Do you think that your host is running out of gas?   I used to think that as well, but I'm surprised how much any given host can be loaded up without experiencing consitantly performance problems.    If they are windows?  You can check how the VM is performing pretty easy with the Windows performance tools.  All this with low end Iscsi San, I can only imagine how fiber of rocks on the performance.

• Can someone tell me what the recommendation of Oracle is on how to best configure the load balancer?

  We are currently using the "configuration.properties" file to identify load balancing our servers, but we are curious to see if it is the recommended method to configure load balancing, or if there is a better way.

  I opened a case with Oracle support and asked the same questions - entry configuration.properties of the file servers is the only supported method used by Peoplesoft to balancing upward through 8.54.

  See also: how the Installer Application Server Load balancing and failover (Doc ID 1252846.1)

• Hyperic HA does support load balancing?

  Hello
  
  We try to implement architecture Hyperic high availability based on JBoss HA and distributed cache EHCache. Our version is 3.2.3 EE.
  The cluster configuration is quite simple with the HQ High Availability Guide.
  Thanks for this guide and the esayness of the configuration of the feature!
  
  My first question was, the agent, what server IP should I use? I put with node 1 and other agents with node 2
  = > the synchronization between nodes works very well.
  
  Therefore, I have some additional questions.
  
  1 / can I have a single point of entry for agents with some load balancing and failover capability?
  For example, if an agent is sending information with the Node1 and this node breaks down or the server is restarted for maintenance purposes, the agent information will be lost.
  
  2 / same question for the application, can I have a single point of entry URL with some load balancing and failover capability?
  
  Thanks for your help.
  
  Nicolas.
  
  Post edited by: njmn

  HQ Enterprise HA for failover, but do not support for load balancing.  You will need before your HQ multiple servers with a load (software/hardware) balancer which will relay agent to a live server.  The load balancer must be staged all agents in a single node of 'master '.  If this server is unavailable, another server will automatically become the master node and agents should be redirected to this node.

  Charles

• Loadbalancing ASA VPN and firewall failover issue

  Is it is possible to setup 2 ASA 5520 in active monitoring of the State and still take advantage of load balancing VPN or each of the ASA must be independent to use the VPN load balancing?

  Thank you

  Please rate if this can help

• The order of failover and load balancing

  Hello

  I have the following scenario. An ESXi with 4 Gbps vmnic. The questions are:

  (1) if I have a group of ports configured for 'Route based on the original virtual Port code' in the policy of balancing load, and for the same port group I the option button 'Override switch failover command"checked, where I set up 3 of the active adapters vmnic, as well as the other vmic remaining as unused adapter, the ESXi uses the policy that I have configured (in this case 'Route based on the original port code') between the three vmnic load balancing marked as active? Or he uses them in the order that they appear in the section active cards?

  (2) Suppossed, I configured the four physical switch ports in an etherchannel group to use 'Route based on the IP hash' load balancing policy. In this situation, then I configured for a certain group of port to only used two active adapters and two others as unused? In this case, ESXi should balance the load using the method hash IP but only in two active adapters? Or it is a misconfigiuration and I should not configure my nic teaming in this way?

  (3) the official setup guide says "NOTICE on IP requires the physical switch be configured with etherchannel. For all other options, etherchannel must be disabled. ». How can I I configured my virtual network, if I have a few groups of political ports based on the hash of the IP to use load balancing and another uses 'Route based on the original port code. This is the case when I for example have two management ports using the same vSwitch with four vmnic (where they are configured as an Etherchannel in the physical switch). I would port one or several groups for virtual machines that use the IP of the hash method of balancing the load and vmkernel ports por management uses only a single adapter active with no back and as "based on the source port ID" load balancing as best practices said.

  Now, the four vmnic is the same for all traffic. The physical switch ports must be configured in an etherchannel group because certain groups of ports will use the method of IP hash, but others are not. The configuration guide I said SHOULD NOT use etherchannel if I won't use the hash IP method, but I'LL use it, but only in groups of one or more ports.

  Maybe I do not share the same vmnic from this situation.

  Finally, it's a philosophical question. What is the difference between 'The route based on the source port ID' and the 'road based on the source MAC Hash' load balancing policy? What is the purpose of the second? It is assumed that if I had two different MAC address in a virtual machine, it would be because I had two different virtual cards inside the virtual machine, which would be connected to two different port ID in the vSwitch, I can use the first strategy (based on the original port code). In other words, which would be the case where I had the traffic entering the same vSwitch but port ID with different source MAC address, so I should chose the method to distinguish the Source MAC address load balancing traffic?

  Thank you.

  Guido.

  (1) as long as you override vmnic only and don't change the policy for this group of ports, he uses the policy configured at level vSwitch and use the selected interface 3 with this policy

  (2) it should work, I don't think it's a problem for the switch receive packets on a subset of the aggregation. I do not think that Etherchannel is supported (IIRC, it is a Cisco proprietary protocol, VMware only supports LACP passive, which corresponds to the Port channel world Cisco.) Trouble me if I'm wrong!)

  (3) I think that's all right, as I have explained in 2), there is no special negotiations with the consolidation of VMware, the important thing only I know is to configure the port on the side of the switch channel if you decide to use the IP hash (that will lead to important questions)

  4) (self labeled) I think it may differ in some cases individuals, as when the operating system use the same MAC address for both NICs (aggregation in-vm) or if you advertise several MAC address for the same network card (ESX in a VM for example would make for its VM). Such cases differently affect this setting.

  That is the right question, and I'm curious to know if someone wants to develop on it!

• ASA 5520 Active standby and ssl vpn loadbalancing

  I have a pair of Asa 5520 failover active rescue running. Can I use these two machines in a cluster of ssl vpn load balancing?

  N ° when a couple active / standby is part of a cluster of VPN, the rescue unit is still pending - she will not be actively terminate user sessions. Only the active cluster members (and non-failover) will do.