Cisco Cisco ASA 5512-X Adaptive Security Appliance Fehlerbehebungsanleitung
Load−Balancing Algorithm
Here is an overview of the load−balancing algorithm:
The master device maintains a sorted list of secondary cluster members in ascending order of inside
IP addresses.
IP addresses.
•
The load is computed as an integer percentage (number of active/maximum sessions) that is supplied
by each secondary cluster member.
by each secondary cluster member.
•
The master device redirects the IPSec/Secure Sockets Layer (SSL) VPN tunnel to a device with the
lowest load first, until it is one percent higher than the other devices.
lowest load first, until it is one percent higher than the other devices.
•
The master device redirects to itself only when all of the secondary cluster members are one percent
higher than the master device.
higher than the master device.
•
Here is an example with one master and two secondary cluster members:
All nodes begin with a zero−percent load, and all percentages are rounded to the nearest half−percent.
•
The master device takes the connection if all of the members have a load that is one percent higher
than the master device.
than the master device.
•
If the master device does not take the connection, the session is taken by the backup device that
currently has the smallest load percentage.
currently has the smallest load percentage.
•
If all of the members have the same load percentage, then the backup device with the least amount of
sessions takes the session.
sessions takes the session.
•
If all of the members have the same load percentage and the same number of sessions, then the
backup device with the least amount of IP addresses takes the session.
backup device with the least amount of IP addresses takes the session.
•
Master Election Process
The VPN load balancing Master Election process is performed on the cluster outside network. There are two
types of data exchanged on the outside network:
types of data exchanged on the outside network:
Address Resolution Protocol (ARP) packets for the cluster IP address that are used for master
discovery are exchanged. The maximum number of ARP packets that are sent for the cluster IP
address in order to discover the master is:
discovery are exchanged. The maximum number of ARP packets that are sent for the cluster IP
address in order to discover the master is:
(10 − priority) + 1
Here, priority is configured as in the priority subcommand of the vpn load−balancing CLI command.
•
UDP packets on the outside for the Hello request/response messages are exchanged. The port number
is specified in the cluster port load−balancing subcommand and is default to 9023.
is specified in the cluster port load−balancing subcommand and is default to 9023.
•
As an example, if the priority is five for a load−balancing device, it attempts to send up to six ARP packets in
order to see if any master device owns the cluster IP address. If a master device is detected, the ASA does not
send any more ARP messages and waits 15 seconds before it sends the UDP Hello request. The master device
then responds with an UDP Hello response.
order to see if any master device owns the cluster IP address. If a master device is detected, the ASA does not
send any more ARP messages and waits 15 seconds before it sends the UDP Hello request. The master device
then responds with an UDP Hello response.