Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1145
Views
0
Helpful
4
Replies

Anyconnect vpn load balancing using DNS roundrobin with SAML possible?

ronnie.shih
Level 1
Level 1

‎12-06-2022 08:46 AM

Hello, we have a pair of FTDs between an on-prem data center and Azure and would like to use DNS roundrobin to load balance the client vpn connections between the pair of FTDs.  The DNS name obviously would have 1 single A record pointing vpn.domain.com to 2 different FTD's outside interfaces.  The tricky part is that we use Okta for SAML authentication and the FTDs are configured to use "VPN client embedded browser."  I have spoken to Okta but they aren't clear whether this would work since I need to configure 2 different FTDs with the same DNS name in Okta's SAML config.  In that case, does Okta return responses back to the correct FTD?

Please advise, thank you

1 person had this problem
0 Helpful
4 Replies 4

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎12-07-2022 05:26 AM - edited ‎12-07-2022 05:31 AM

Hi @ronnie.shih,

I'm not sure would it work or not, but is worth of trying. I would advise to use recursive DNS lookup instead. Your FTD devices should have its own DNS records, e.g. vpn1.domain.com and vpn2.domain.com. There should be 3rd DNS record - vpn.domain.com, which clients would try to reach, and which would resolve via round-robin to vpn1.domain.com and vpn2.domain.com.

This way, each FTD device can identify itself uniquelly to Azure, and your clients would still be able to use single DNS record. Of course, your devices must have certificates for both domains - common DNS one, and local one (e.g. vpn and vpn1.domain.com). Also, it must accept connections on both vpn and vpn1.domain.com.

I never tried this, and I'm always using VPN load balancing in such case (which works in similar principle). I've configured VPN load balancing on ASA SW, and never on FTD, but I found this great guide, so you might want to try this too, and make sure you go through Configuring VPN Load Balancing config guide.

Kind regards,

Milos

0 Helpful

ronnie.shih
Level 1
Level 1

‎12-07-2022 05:55 AM

Thank you for your response.  I believe I just need to try this out and see what breaks.

The last paragraph you mentioned actually refers to anyconnect VPN load balancing in the same layer 2 network, which means load balancing anyconnect connections across several FTD units in a load balancing group in networks stitched together at layer 2.  We are looking to load balance anyconnect connections between an on-prem data center and Azure, while using SAML authentication.  So this scenario does not apply to us.  

0 Helpful

ChadMAng
Level 1
Level 1
In response to ronnie.shih

‎08-10-2023 12:53 PM

HI @ronnie.shih Were you able to test the functionality of DNS LB or the recursive dns lookup that @Milos_Jovanovic mentioned? We are getting ready to test this and came across this article so thought I check in on it. 

0 Helpful

ronnie.shih
Level 1
Level 1
In response to ChadMAng

‎08-10-2023 02:37 PM

We did get this to work, with the combination of Azure traffic manager hierarchy and a spread of 5 DNS names.  The "load balancing" part mostly works, of course, we all know that DNS roundrobin isn't real load balancing but it does spread VPN clients pretty evenly most of the time between our on-prem and Azure.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card