ASA Load Balancing Anyconnect VPN. Unidirectional traffic on all non-primary Firewalls.

raycourtney · ‎08-31-2018

Hi Everyone,

I've been given a curious problem to solve and I'm completely stuck..

We have 2 sets of firewalls, set up as pairs to load balance incoming Anyconnect VPNs.

On the primary Firewall in each pair the clients connect ok and send/receive traffic successfully. If i join the second firewalls to the VPN Load Balancing Cluster the clients connect to these devices ok, but we only get Rx traffic, and no Tx traffic. (As seen on the ASA VPN Monitoring)

We are using FQDN for the redirect and we are using Certificates to secure the IKEV2.

We are using the current Anyconnect client and ASA version 9.8

Has anyone seen this before, can you give me any pointers where to look?

Thanks for your help.

RC

Rahul Govindan · ‎08-31-2018

Looks like your load balancing is working correctly. But your outbound routing is messed up somewhere. How are your routing traffic to these 2 sets of firewalls. Are you using some dynamic routing to redistribute the RRI static route back to the internal core switch/router?

Alternatively, you can capture packets on the inside interface of the ASA-2 by applying the following command:

capture capi interface <inside-intf-name> match ip host <vpn-client-assigned-ip> any

show capture capi

This should show if you are forwarding and receiving traffic on the inside interface of the ASA-2. This will help you isolate if the issue lies on the ASA-2 or elsewhere.