cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
New Contributor

IP load sharing with VPN

I started with a 3448 and a single ISP on ETH 0/1. Firewall and VPN up and running on ISP #1.

A second ISP is connected to ETH 0/2. The doc Configuring IP Load Sharing in AOS - Quick Configuration Guide.pdf

is referenced to attempt to load share across the (2) ISP's. When I add the default route for ISP #2, the VPN traffic stops.

Anyone have experience with this problem?

Labels (3)
0 Kudos
6 Replies
Highlighted
Honored Contributor
Honored Contributor

Re: IP load sharing with VPN

with a lan-to-lan VPN, you'll need to build a second tunnel from the other end to the IP of ISP #2 and include its interface in your crypto map.  

Highlighted
New Contributor

Re: IP load sharing with VPN

In this case I am attempting to load-share outbound internet traffic only. The VPN is configured only on ETH0/2. I have added a static route to force the VPN traffic out ETH0/2 and have used the reverse-route command. Occasionally the VPN traffic stops and I will delete the static route to ETH0/1 and the VPN traffic is restored. Any idea as to why the VPN traffic stops?

Highlighted
Honored Contributor
Honored Contributor

Re: IP load sharing with VPN


kchasta1n wrote:



In this case I am attempting to load-share outbound internet traffic only. The VPN is configured only on ETH0/2. I have added a static route to force the VPN traffic out ETH0/2 and have used the reverse-route command. Occasionally the VPN traffic stops and I will delete the static route to ETH0/1 and the VPN traffic is restored. Any idea as to why the VPN traffic stops?


Was the static route you added for the /32 public crypto endpoint of the VPN or for the protected inside traffic?  You might need to add one for each, both to force the VPN tunnel to establish over the proper interface and to steer the protected traffic toward the interface with the crypto map.  Use the ISP next-hop off of eth 0/2 as the target. 

What static route do you have on ETH0/1 ?

When the VPN traffic stops is the crypto tunnel still up? 

Highlighted
Anonymous
Not applicable

Re: IP load sharing with VPN

- Do you need any further assistance regarding this issue?

Thanks,

Noor

Highlighted
New Contributor

Re: IP load sharing with VPN

All set with this problem. Thanks for the input.

Kenneth Chastain

Systems Engineer

Highlighted
Anonymous
Not applicable

Re: IP load sharing with VPN

-

I went ahead and flagged this post as "Assumed Answered". If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Noor