09-18-2016 11:48 PM - edited 02-21-2020 08:58 PM
Dear all,
we have two identical ASA 5545-X and we want to configure Cisco Anyconnect 4.3 client connection /SSL VPN client connection in load balancing so that both ASAs will serve the client connection requests. Is that possible? If yes how can we configure the two ASAs for this?
Thanks,
HBremer
09-18-2016 11:56 PM
HI hbremer ,
Below is the document that describes Any connect load balancing
Remote VPN Client Load Balancing on ASA 5500 Configuration Example
Hope that helps
Thanks
Shakti
09-19-2016 12:26 AM
Hi Shakti,
Thank you for your quick reply. Does this mean that we can configure both ASAs in cluster and have also high availability? I have read in "CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6". Remote access VPN is not supported with clustering. VPN functionality is limited to the primary unit and does not take advantage of the cluster high availability capabilities. I'm just confused.
Thanks,
HBremer
09-19-2016 12:38 AM
Hi hbremer ,
No , Load-balancing is just in terms of load balancing the Any connect connection request . Not other connection apart from Any connect connections are sent to the other unit .
The master device does not perform a round-robin method of sending the connections to the devices rather its operation is more on the percentage of connection load on the device.
load calculated is roughly ,
no. of connection/ total no of connections allowed (license)*100
Hope that helps
Thanks
Shakti
09-19-2016 12:48 AM
Hi Shakti,
Thanks! So what is the best practice to have both load balancing and high availability? Configuring ASA in Active/Active mode? If yes is there any configuration example how to do it?
Thanks
HBremer
09-19-2016 01:22 AM
Hi hbremer ,
So , when you configure ASA in Active/Active mode then each context is all together a different ASA which will make things even complex .
I think if you plan to achieve load balancing & high availability at the same time you can user server-list and backup server-list feature of XML profile .
XML profile has an option of server list that tells any connect which ASA to contact and connect to , and as a high availability feature you also mention backup server list which tells any connect where to connect in case the primary fails . Now the back up server list entry is a another ASA which can be on a different location
for example you define ASA as primary server which is in US and under the back up server you can define some ASA sitting at UK in case ASA at US fails
Such an implementations also opens up features such as Optimal Gateway resolution wherein Any connect decides the best server to reach by measuring the response time of each primary server
You can find more information on the document below
Hope that helps
Thanks
Shakti
09-19-2016 02:42 AM
Hi Shakti,
These means configuring both ASAs as separate VPN GW instead of in Failover.
09-19-2016 05:20 AM
Hi hbremer ,
Yes , exactly that will ensure high availability against ISP failure too
Thanks
Shakti
09-20-2016 06:55 AM
Thx Shakti,
Do you have configuration example for Anyconnect client in Active/Active failover mode?
09-20-2016 05:30 PM
Hi hbremer ,
the configuration is pretty much the same as in single mode
for configuration example on active/active
PIX/ASA: Active/Active Failover Configuration Example
Configuration example fo Any connect
Configure AnyConnect Secure Mobility Client with Split Tunneling on an ASA
the only difference in terms of configuration i can think of is that you call the webvpn related configuration under the admin context .
Thanks
Shakti
09-23-2016 06:53 AM
Hi Shakti,
Thank you.
09-12-2019 08:33 AM
Is anyconnect required for this?
Can you use open connect for this ssl vpn lb?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: