Filter
Top Products
15-13
Cisco ASDM User Guide
OL-16647-01
Chapter 15 High Availability
Configuring Failover with the High Availability and Scalability Wizard
Note Load balancing is effective only on remote sessions initiated with the Cisco VPN Client (Release 3.0 and
later), the Cisco VPN 3002 Hardware Client (Release 3.5 and later), or the ASA 5505 operating as an
Easy VPN Client. All other clients, including LAN-to-LAN connections, can connect to a security
appliance on which load balancing is enabled, but the cannot participate in load balancing.
To implement load balancing, you group together logically two or more devices on the same private
LAN-to-LAN network into a virtual cluster.
Fields
• Cluster IP Address—Specifies the single IP address that represents the entire virtual cluster. Choose
an IP address that is within the public subnet address range shared by all the security appliances in
the virtual cluster.
• Cluster UDP Port—Specifies the UDP port for the virtual cluster in which this device is
participating. The default value is 9023. If another application is using this port, enter the UDP
destination port number you want to use for load balancing.
• Enable IPSec Encryption—Enables or disables IPSec encryption. If you select this check box, you
must also specify and verify a shared secret.The security appliances in the virtual cluster
communicate via LAN-to-LAN tunnels using IPSec. To ensure that all load-balancing information
communicated between the devices is encrypted, select this check box.
Note When using encryption, you must have previously configured the load-balancing inside
interface. If that interface is not enabled on the load-balancing inside interface, you get an error
message when you try to configure cluster encryption.
If the load-balancing inside interface is enabled when you configured cluster encryption, but is
disabled before you configure the participation of the device in the virtual cluster, you get an
error message when you select the Participate in Load Balancing Cluster check box, and
encryption is not enabled for the cluster.
–
Shared Secret Key—Specifies the shared secret to between IPSec peers when you enable IPSec
encryption. The value you enter in the box appears as consecutive asterisk characters.
• Priority Of This Device—Specifies the priority assigned to this device within the cluster. The range
is from 1 to 10. The priority indicates the likelihood of this device becoming the virtual cluster
master, either at start-up or when an existing master fails. The higher you set the priority (for
example, 10), the more likely this device becomes the virtual cluster master.
Note If the devices in the virtual cluster are powered up at different times, the first device to be
powered up assumes the role of virtual cluster master. Because every virtual cluster requires a
master, each device in the virtual cluster checks when it is powered-up to ensure that the cluster
has a virtual master. If none exists, that device takes on the role. Devices powered up and added
to the cluster later become secondary devices. If all the devices in the virtual cluster are powered
up simultaneously, the device with the highest priority setting becomes the virtual cluster master.
If two or more devices in the virtual cluster are powered up simultaneously, and both have the
highest priority setting, the one with the lowest IP address becomes the virtual cluster master.
• Public Interface Of This Device—Specifies the name or IP address of the public interface for this
device.