Cisco Switching/Routing :: Asa 5520 Load Balancing Based Upon Http Or Https
Mar 5, 2012
I have a customer who wants his new ASA-5520 to load balance out-going traffic between 2 ISPs, fairly normal request. Now here's the twist. He wants to separate traffic based upon the protocol used, http to one ISP, https to the other.
We have a RV016 load balancing between two broadband WAN connections. On protocols that are sensitive to a change in IP address such as ssh and https, if the client connection goes inactive for a short time (sometimes as short as 10 seconds), the RV016 often changes WAN connection as part of its "load balancing" feature. Most protocols do not even notice, but the more sensitive protocols do and often lock a session or timeout the session which is not a good thing.
We have been able to bind these sensitive protcolols to a particular WAN port but (in our minds) this is not an "ideal" situation. In fact I would consider this to be a broken "load balancing" solution and should be fixed.
I need to build a layer 2 etherchannel on a Cisco 3560X. Now the question:
¿ May I instruct the switch to inspect the outgoing ethernet packets for IP information and therefore execute Layer 3 load balancing on this portchannel regardless of the fact that this will be a plain Layer 2 etherchannel? (for example: port-channel load-balance src-dst-ip)
The documentation does not say that this is not allowed, so in principle it seems to be that it would be feasible.
I am trying to configure ACE 4710 to load balance base on the URL, If it matches the specific URL ( /456/ ), the traffic will be sent to server farm 456 else the traffic will be sent to server farm 123.
I attached an image of the topology.
rserver host SRV01_123 ip address 192.168.1.101 inservice
I was unable to access my ASA 5520 using HTTP/HTTPS even on the management interface. I had upgrade the ASA IOS to asa832-k8.bin and ASDM to asdm-634-53.bin. But, the issue still the same.
My browser show the error message as attach image.
PGA-Firewall-02# sh run: Saved:ASA Version 8.3(2)!hostname PGA-Firewall-02enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface GigabitEthernet0/0 nameif public security-level 0 ip
Right now, in my network there is no proxy server and all users go straight through the ASA to access internet. I would like to put a squid with dansguardian (for web filtering). Steps in getting all http and https traffic from ASA go via my squid?
We have an ASA5520 pair that we will be installing to load balance SSLVPN connections. Below is a portion of our configs pertaining to the VPN load-balancing feature (configured on both ASAs):My specific question is related to routing of return traffic to load-balanced VPN sessions. Is there some kind of persistence function that tells the return traffic which ASA to route back to? For instance, if ASA1 has a VPN connection having IP address 10.211.112.1 associated to it, and ASA2 has a VPN connection having IP address 10.211.112.100, how does the return traffic for each connection know which ASA to route back to?
We have two asa5520 configured as primary and standby unit in fail over configuration, and all is working properly. Is it possible, with this configuration (fail over), to configure vpn load balancing/clustering?
We have to cisco WS-C4900M with Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-IPBASE-M), Version 12.2(53)SG5, RELEASE SOFTWARE (fc1).We have four gigabit link connected between those two switches.We have create a LACP port channel with those four ports on both switches. Ether-channel is up and running and defined with a load-balancing method of src-dst-ip.But when we test the load-balancing, it's not using the src-dst-ip rule with the XOR: [code]
We use Cisco ASA 5520 (in HA configuration) connected to Cisco Switch 3750, ISP connection (25 Mbps) is straight to cisco 3750 switch. Since, Internet traffic is now high, a seecond ISP will be added.Our plan is to do Internet Link Load Balancing. My understanding that AS5520 can not do balancing.What appliance do you think I can use to accomplish the link balance?Also, take in consideration that our current ASA is also our VPN server and there are two DMZ zones.
1) 2 x ASA 5520, running 8.2 2) Both ASA are in same outside and inside interface broadcast domains – common Ethernet on interfaces 3) Both ASA are running single context but are active/standby failovers of each other. There are no more ASA’s in the equation. Just these 2. NOTE: this is not a Active/Active failover configuration. This is simply a 1-context active/standby configuration. 4) I want to share VPN load among two devices and retain active/standby failover functionality. Can I use VPN load balancing feature?
Active/Active failover is understood to mean only two ASA running multi-contexts. Context 1 is active on ASA1 Context 2 is active on ASA2. They are sharing failover information. Active/Active does not mean two independently configured ASA devices, which do not share failover communication, but do VPN load balancing. It is clear that this latter scenario will work and that both ASA are active, but they are not in the Active/Active configuration definition. Some people are calling VPN load balancing on two unique ASA’s “active/active”, but it is not
The other confusing thing I have seen is that VPN config guide for VPN load balancing mentions configuring separate IP address pools on the VPN devices, so that clients on ASA1 do not have IP address overlap with clients on ASA2. When you configure ip address pool on active ASA1, this gets replicated to standby ASA2. In other words, you cannot have two unique IP address pools on a ASA Active/Standby cluster. I guess I could draw addresses from external DHCP server, and then do some kind of routing. Perhaps this will work?
I would like configure a CSS content, that uses the sorry service principal in an advanced way.
I am familiar with the primary Sorry Server command and see that the CSS would send all connections to the named service that is configured as the primary Sorry Server.
What I would like to do is to configure the CSS, so that once it’s decided it’s in a “sorry” state (all the services that are configured with “add service” are down) that it load balances to a different set of services.
To explain what I’ve been trying to do in the form of configuration on the CSS, I’ve pasted some pretend config below.
Connections come into IP address 220.127.116.11, which normally get load balanced between 18.104.22.168, 22.214.171.124 and 126.96.36.199.
If 188.8.131.52, 184.108.40.206 and 220.127.116.11 are all down, the sorry service is used and the CSS starts passing traffic to 18.104.22.168, which I want it to load balance between 22.214.171.124, 126.96.36.199 and 188.8.131.52.
The order that I have applied the config, is different to the below, as I set out to configure in this order: secondary services, secondary content, sorry service, primary services, primary content.
The order of the config below is different, because I wanted it in the order that the traffic flows and the CSS won’t take the config in that order!
The wall I have ran into, is that when I try to create the service I have named “Sorry Service”, I get the following error:
%% Service IP Address conflicts with a local I/F, VIP, mg mt route.
I have probem with symmetric load balancig, in case when both ends of ether channel are on the sam switch (we are using VLAN translation).We need to create L2 port channel with both ends on same switch (Cisco WS-C4500X-24X-ES), for example:Po1 – Gi0/1, Gi0/3 (one end of port channel )Po2 – Gi0/2, Gi0/4 (other end of port channel)On ports in Po2 we will configure VLAN mapping.My question is what is the best ether-channel load-balancing scheme with wich we can accomplish full symmetry in both directions? For example, if traffic in one direction goes through Gi0/1 (member of Po1), in other direction also must go through Gi0/1. This is required because we need to connect four appliances for DPI (they are full L2 transparent) and traffic through each appliance need to be symmetric.
I can set-up src-ip, dst-ip, src-dst-ip etc. load balancing, but, actually I need src-ip on Po1 and dst-ip on Po2. Is there any way to set up different load balancing mechanism for different ether channel on same switch (4500X).
If the load balancing is set to src-dst-ip, will a layer 2 switch forward based on that information? Particularly talking about a 6500, with trunk interfaces, since those packets never go to the layer 3 engine, will the load-balancing work as intended?
I am trying to understand what load balancing method is used on a port channel on a Nexus switch . I have a server connected by a VPC to two Nexus switches. The nexus switches are only acting as layer 2 switches. I have a 6509 connected via a upstream link that does all of the routing for my VLANS. If have a server connected to the Nexus switches and it talks to a server on my 6509 what load balancing happens on the Nexus going across VPC 27 which is a layer 2 trunk going up to my 6509. Is it done on layer 2 or layer 3 flows?
My Nexus shows the default load balancing configurations
Port Channel Load-Balancing Configuration:System: source-dest-ip Port Channel Load-Balancing Addresses Used Per-Protocol:Non-IP: source-dest-macIP: source-dest-ip source-dest-mac
Is it possible to use two different load balancing methods at each end of a port-channel between two switches?
We have a Cisco 6509 at one end of the port-channel and a Cisco blade switch 3020 at the other end. Right now, we are using "src-dst-ip" at both end of the port-channel. We would like to change this. That is, we would like the #3020 switch to use "src-dst-ip" while the 6509 switch should use the "src-dst-port".
Why we want to do this, the reason is that we have FWSMs on the 6509. I've read that by configuring "src-dst-port" on the 6509, one can get a better performance of traffic going through the FWSM. However, the issue is that the 3020 switch does not support "src-dst-port".
What I am attempting to achieve is to aggregate trunk ports out of a VMware server into a single logical connection to give as much bandwidth as possible, the switches are 3750X and are three stacked together with the server connections spread across the stack. What I am not sure about is if two port channel load balance protocols can happy co-exist on the switch, by default the switch is using MAC address load balancing and Vmware wants to use IP Source load balancing. As other trunks and channels exist on the switch I don't want to make a change that will affect the other live connections if changing this is a global setting and not local on the channel.
I have a dual-homed fabric (Nexus 2248 dual attached to two Nexus 5020's via vPC). On this Nexus 2248 is a server that has a four port LACP etherchannel. The ports do not appear to be load balancing correctly. The output below shows the four ports in use and it clearly shows port e138/1/10 as getting the most use. When I use the "show port-channel load-balance forwarding-path..." command on either of the vPC switches for various source and destination IP's that use this link, it shows them correctly load-balancing across the four ports. But we do not see this when looking at stats on both the server side and the switch side.