Hi Shakti,

Thank you for your quick reply. Does this mean that we can configure both ASAs in cluster and have also high availability? I have read in "CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6". Remote access VPN is not supported with clustering. VPN functionality is limited to the primary unit and does not take advantage of the cluster high availability capabilities. I'm just confused.

Thanks,

HBremer

Hi hbremer ,

No , Load-balancing is just in terms of load balancing the Any connect connection request . Not other connection apart from Any connect connections are sent to the other unit . 

The master device does not perform a round-robin method of sending the connections to the devices rather its operation is more on the percentage of connection load on the device.

load calculated is roughly ,

no. of connection/ total no of connections allowed (license)*100

Hope that helps

Thanks

Shakti

Hi Shakti,

Thanks! So what is the best practice to have both load balancing and high availability? Configuring ASA in Active/Active mode? If yes is there any configuration example how to do it?

Thanks

HBremer

Hi hbremer ,

So , when you configure ASA in Active/Active mode then each context is all together a different ASA which will make things even complex . 

I think if you plan to achieve load balancing & high availability at the same time you can user server-list and backup server-list feature of XML profile .

XML profile has an option of server list that tells any connect which ASA to contact and connect to , and as a high availability feature you also mention backup server list which tells any connect where to connect in case the primary fails . Now the back up server list entry is a another ASA which can be on a different location 

for example you define ASA as primary server which is in US and under the back up server you can define some ASA sitting at UK in case ASA at US fails

Such an implementations also opens up features such as Optimal Gateway resolution wherein Any connect decides the best server to reach by measuring the response time of each primary server

You can find more information on the document below

Configuring a Server List

Optimal Gateway Selection

Hope that helps

Thanks

Shakti

Hi Shakti,

These means configuring both ASAs as separate VPN GW instead of in Failover.

Hi hbremer ,

Yes , exactly that will ensure high availability against ISP failure too

Thanks

Shakti

Thx Shakti,

Do you have configuration example for Anyconnect client in Active/Active failover mode?

Hi hbremer ,

the configuration is pretty much the same as in single mode

for configuration example on active/active

PIX/ASA: Active/Active Failover Configuration Example

Configuration example fo Any connect 

Configure AnyConnect Secure Mobility Client with Split Tunneling on an ASA

the only difference in terms of configuration i can think of is that you call the webvpn related configuration under the admin context .

Thanks

Shakti

Hi Shakti,

Thank you.

Is anyconnect required for this?

Can you use open connect for this ssl vpn lb?