IPSec Server Load Balancing

The load balancing feature makes it possible to distribute remote sessions among two or more VPN Concentrators connected on the same network. Load balancing provides efficient use of system resources, while providing increased performance and high availability by directing remote sessions to the least-loaded device.

The load balancing is used only with remote sessions with VPN Concentrators initiated by either the Cisco VPN Client (3.0 or later) or the Cisco VPN 3002 Hardware Client (3.5 or later). All other VPN clients, including LAN-to-LAN connections, can connect to a VPN Concentrator on which load balancing is enabled, but they can’t participate in load balancing.

Load balancing requires no configuration on the VPN Client or VPN 3002.

Configure a Server for Load Balancing

Before configuring load balancing on a VPN Concentrator, you must complete the following two tasks:

Configure the private and public interfaces.
Configure the filters for the private and public interfaces to allow the Virtual Cluster Agent (VCA) load balancing protocol.

Configure Interfaces

Use the Configuration | Interfaces window to check to see if the public and private interfaces were defined and each has status UP. If either interface is undefined, it must be defined before proceeding.

Virtual Cluster

To implement load balancing, you must group together two or more VPN Concentrators logically on the same private LAN-to-LAN network, private subnet, and public subnet into a virtual cluster. The virtual cluster appears to outside clients as a single virtual cluster IP address.

All devices in the virtual cluster are used to distribute session loads. The virtual cluster master directs incoming calls to the other devices, referred to as secondary devices. By monitoring all devices, the virtual cluster master can distribute the session load based on the activity of each device. The virtual cluster master role isn’t assigned to a specific physical device, but can shift among devices, as needed. This flexibility is particularly important if the current virtual cluster master fails. In this case, one of the secondary devices takes over and immediately becomes the new virtual cluster master.

A VPN Client wanting to initiate a session connects to the virtual cluster IP address. The virtual cluster master returns the public IP address of the cluster host with the least load to the client. The process is transparent to the user because the VPN client connects directly to that designated host without any user involvement or messages.

If a cluster machine fails, the terminated sessions reconnect immediately to the virtual cluster IP address where the virtual cluster master repeats the reassignment process. Even if the failed device is the virtual cluster master, one of the secondary cluster devices immediately and automatically takes over as the new virtual session master. Multiple device failures in the cluster should also be resolved, as long as one cluster device remains available.

Configure Filters

Use the following VPN Concentrator steps to configure the filters for the private and public interfaces to allow the VCA load balancing protocol.

In the Configuration | Interfaces window, select Ethernet1 (Private). The Configuration | Interfaces | Ethernet1 window appears.

Choose the General tab.

Use the drop-down Filter menu button and select Private (Default).

Click on Apply.

In the Configuration | Interface window, select Ethernet2 (Public). The Configuration | Interfaces | Ethernet2 window appears.

Choose the General tab.

Use the drop-down Filter menu button and select Public (Default).

Click Apply.

Go to the Configuration | Policy Management | Traffic Management | Filters window.

Choose Private (Default) from the Filter list.

Select Assign Rules to Filter. The Configuration | Policy Management | Traffic Management | Assign Rules to Filter window appears.

Verify that VCA In (forward/in) and VCA Out (forward/out) are in the Current Rules in Filter list. If necessary, add them to the list.

Click on Done.

In the Configuration | Policy Management | Traffic Management | Filters window, choose Public.

Choose Assign Rules to Filter. The Configuration | Policy Management | Traffic Management | Assign Rules to Filter window appears.

Verify VCA In (forward/in) and VCA Out (forward/out) are in the Current Rules in Filter list. If necessary, add them to the list.

Click Done.

Click the Save Needed icon in the upper-right corner to save the changes.

Configure Load Balancing

Use the Configuration | System | Load Balancing screen to enable load balancing on the VPN Concentrator, as shown in Figure 15-27. The process takes two steps:

Figure 15-27: Configuring load balancing

Configure the cluster—Define the common virtual cluster IP address, UDP port (if necessary), and IPSec shared secret value for every device in the cluster.

Configure the device —Enable load balancing on the device, and then define the device-specific properties. These values can vary, based on device type and option features.

VPN Virtual Cluster IP Address	A single IP address identifying the virtual cluster. This address must be within the address range shared by all VPN Concentrators in the cluster.
VPN Virtual Cluster UDP Port	A UDP destination port number to use for load balancing if another application is already using the default port.
Encryption	Specifies all load-balancing communication between the VPN Concentrators is encrypted.
IPSec Shared Secret	Available only if Encryption is checked. The shared secret is a common password used to authenticate all virtual cluster members. IPSec uses this shared secret as a preshared key to establish secure tunnels between virtual cluster peers.
Priority	Priority (1 to 10) for this VPN Concentrator within the virtual cluster. The higher the value, the more likely this device could become the virtual cluster master either at startup or when an existing master fails.