Hi - Thanks I allowed all ip traffic in ACL's between both sets of interfaces and I have made sure of the lbprivate and lbpublic assignment.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of hughie CCIE Sent: Wednesday, September 09, 2009 8:48 PM To: Michael Davis Cc: [email protected] Subject: Re: [OSL | CCIE_Security] VPN Load balancing on ASA 5510 Hi Michael, Have you allowed port 9023/udp between the devices for VCA traffic (virtual cluster agent? also make sure you have the interfaces specified as well in the config interface (lbprivate | lbpublic) logical_interface_name -- regards Hugh 2009/9/9 Michael Davis <[email protected]>: > Hello Everyone - I am going crazy. I have 2 ASA 5510's with sec+ and > have working remote access VPN configurations on them. Both ASA outside > interfaces reside in the same subnet and share the same default route > and both inside interfaces are in the same subnet also. I have set the > private and public interfaces correctly and I have gone over the docs > and it all looks normal. Can anyone see what I am missing? It seems so > simple. Here is my config: > > > > ASA1: outside ip 203.206.229.42/29 inside ip 192.168.1.200 > > vpn load-balancing > > priority 10 > > cluster ip address 203.206.229.44 > > cluster port 4000 > > participate > > > > ASA2: outside ip 203.206.229.43/29 inside ip 192.168.1.201 > > vpn load-balancing > > priority 1 > > cluster ip address 203.206.229.44 > > cluster port 4000 > > participate > > Here is the output of show vpn load-balancing on ASA1 > > Status: enabled > > Role: Backup > > Failover: n/a > > Encryption: disabled > > Cluster IP: 203.206.229.44 > > Peers: 1 > > > > Load (%) Sessions > > Public IP Role Pri Model IPSec SSL IPSec > SSL > > ------------------------------------------------------------------------ > --- > > * 203.206.229.42 Backup 10 ASA-5510 0 0 0 > 0 > > 203.206.229.44 Master 0 UNKNOWN n/a n/a n/a > n/a > > > > Here is my debug: debug vpnlb 200 > > Master peer[203.206.229.44] is not answering HELLO > > 5718056: Deleted Master peer, IP 203.206.229.44 > > 5718044: Deleted peer[203.206.229.44] > > 5718072: Becoming master of Load Balancing in context 0. > > 5718052: Received GRAT-ARP from duplicate master[001c585ad141] > > 5718054: Detected duplicate master[3030.3163.3538] and going to SLAVE > > 5718088: Possible VPN LB misconfiguration. Offending device MAC > [001c.585a.d141] > > -- Regards Hugh 17/4 Dundas Street Edinburgh, Midlothian, EH3 6QG, UK Email hugh [dot] mcgauran [at] gmail [dot] com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
