Can I use a Cisco VPN Appliance behind a WAN aggregator?

Posted on 2009-02-12
Last Modified: 2012-05-06
I have a branch office where we are unable to get high bandwidth or reliable lines. We are forced to use DSL or WiMax. Our company model is to use a Cisco VPN device (800 router or ASA 5505) to link the office over a single line. I would like to be able to increase the available bandwidth by aggregating 2 or more lines. The ASA 5505 can do failover use of a second WAN line, but not load balancing.

After speaking with someone from Fatpipe they seemed to be telling me that I could use their Xtreme aggregator with our Cisco VPN appliance seamlessly. Are they telling the truth? I am not a Cisco or VPN expert but how can the aggregator possible drive the VPN over 2 separate lines? Would this not require another of their devices on the other end?

Any advice on whether it is possible to aggregate in FRONT of a VPN Appliance would be helpful. Also confirming that using an aggregator with built in ipSec is the only option would be helpful. The reason for trying to find a seamless solution is that our corporate security setup is not that flexible and the troubles in my region are fairly unique.

Thank You.
Question by:nordicatechnology
    LVL 10

    Accepted Solution

    If both WAN links have different IP's assigned to them:
    - A specific rule would have to be set in the aggregator to make all VPN traffic go out the one link

    If both WAN links are from the one ISP and essentially a round-robin set up with 1 WAN IP:
    - Using the aggregator would be fine.

    Without doing one of the above,

    A Cisco GRE/IPSEC VPN requires set endpoints, and if you've got one DSL WAN link with IP x.x.x.x and one WiMAX WAN link with IP y.y.y.y all plugged into an aggregator, the other side of the VPN will see the traffic for one VPN comming from 2 WAN IP's - not good.

    I doubt very much that it'll work seemlessly, you MAY be able to get it going with some tweaking, funky ACLs and routing but it'd be too much trouble for what it's worth - and it may be rather unstable.

    Author Comment

    Thank you for input. I suspect I will have to look at a device that can create it's own VPN tunnel on each WAN link and load balance between the two. I will leave this open for a bit longer to see if anyone else has any thoughts. Thank you!

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now