Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1151
Views
0
Helpful
4
Replies

anyconnect setup with 2 ASAv

sam cook
Spotlight
Spotlight

‎07-26-2018 12:17 AM

Hi,

Here is my situation:

I need to setup a remote vpn with anyconnect to Microsoft azure cloud.

 

to do so , I have 2 ASAv, but seen that ASAv could not be setup in High availability, i will configure them independently.

 

My 2 ASAv have private IP addresses and they are behind an edge router which have only one public IP.

 

see the picture attached to understand better.

 

can anyone help me how to setup anyconnect to connect on 1 ASAv and keep the second one as backup ?anyconnect 

Labels:
Preview file
34 KB
0 Helpful
4 Replies 4

Rahul Govindan
VIP Alumni
VIP Alumni

‎07-26-2018 04:34 AM

Since you have only 1 public ip address, you would have do some sort of port forwarding on your gateway to get both ASA's to work. You can:

 

1) Enable webvpn on port 8443 on ASA1

2) Enable webvpn on port 8444 on ASA2

3) Create port forwarding rules on your Azure gateway to point public-ip on 8443 to ASA1 and public-ip on 8444 to ASA2

4) Create an Anyconnect xml profile with public-ip:8443 as primary server address and public-ip:8444 as backup address. Client will connect to ASA2 if ASA1 is not reachable. 

 

 

If you keep different pools on both ASA's you can statically route traffic to each one of them based on the destination address.

0 Helpful

sam cook
Spotlight
Spotlight
In response to Rahul Govindan

‎07-26-2018 05:54 AM

Looks like a good solution , thank you Rahul Govindan , i will test it and revert back to you ;)

 

0 Helpful

gbekmezi-DD
Level 5
Level 5
In response to sam cook

‎07-26-2018 06:35 AM

I’m sorry, I know this doesn’t answer your question, however, I am curious why you are using 2 virtual ASAs In this cloud scenario. Have you considered using cloud native availability features? The 8443 and 8444 options proposed by Rahul will work, but many places only allow known ports out their firewalls toward the internet so you may have users in certain locations who cannot connect on those ports.

Another option here is to port forward tcp and udp 443 to a load balancer and allow that load balancer to choose which asa to send the traffic to based on availability.
0 Helpful

sam cook
Spotlight
Spotlight
In response to gbekmezi-DD

‎07-26-2018 06:49 AM

HI  gbekmezi

 

I'm using  2 ASAv because i need 1000 users but each ASAv30 licence is limited to 750 user.

 

Have you considered using cloud native availability features? ==> can you explain to me what's that ?

 

your solution is also good but i will need in this case an extra device (load balancer)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents