cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2868
Views
0
Helpful
11
Replies
Beginner

SSL vpn/Anyconnect loadbalancing

Dear all,

 

we have two identical ASA 5545-X and we want to configure Cisco Anyconnect 4.3 client connection /SSL VPN client connection in load balancing so that both ASAs will serve the client connection requests. Is that possible? If yes how can we configure the two ASAs for this?

 

Thanks,

HBremer

11 REPLIES 11
Cisco Employee

HI hbremer ,

HI 

Remote VPN Client Load Balancing on ASA 5500 Configuration Example

Hope that helps

Thanks

Shakti

Beginner

Hi Shakti,

Hi Shakti,


Thank you for your quick reply. Does this mean that we can configure both ASAs in cluster and have also high availability? I have read in "CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6". Remote access VPN is not supported with clustering. VPN functionality is limited to the primary unit and does not take advantage of the cluster high availability capabilities. I'm just confused.

Thanks,

HBremer

Cisco Employee

Hi hbremer ,

Hi hbremer ,

No , Load-balancing is just in terms of load balancing the Any connect connection request . Not other connection apart from Any connect connections are sent to the other unit . 

The master device does not perform a round-robin method of sending the connections to the devices rather its operation is more on the percentage of connection load on the device.

load calculated is roughly ,

no. of connection/ total no of connections allowed (license)*100

Hope that helps

Thanks

Shakti

 

Beginner

Hi Shakti,

Hi Shakti,

Thanks! So what is the best practice to have both load balancing and high availability? Configuring ASA in Active/Active mode? If yes is there any configuration example how to do it?

Thanks

HBremer

Cisco Employee

Hi hbremer ,

Hi hbremer ,

So , when you configure ASA in Active/Active mode then each context is all together a different ASA which will make things even complex . 

I think if you plan to achieve load balancing & high availability at the same time you can user server-list and backup server-list feature of XML profile .

XML profile has an option of server list that tells any connect which ASA to contact and connect to , and as a high availability feature you also mention backup server list which tells any connect where to connect in case the primary fails . Now the back up server list entry is a another ASA which can be on a different location 

for example you define ASA as primary server which is in US and under the back up server you can define some ASA sitting at UK in case ASA at US fails

Such an implementations also opens up features such as Optimal Gateway resolution wherein Any connect decides the best server to reach by measuring the response time of each primary server

You can find more information on the document below

Configuring a Server List

Optimal Gateway Selection

Hope that helps

Thanks

Shakti

Beginner

Hi Shakti,

Hi Shakti,

These means configuring both ASAs as separate VPN GW instead of in Failover.

Cisco Employee

Hi hbremer ,

Hi hbremer ,

Yes , exactly that will ensure high availability against ISP failure too

Thanks

Shakti

Beginner

Thx Shakti,

Thx Shakti,

Do you have configuration example for Anyconnect client in Active/Active failover mode?

Cisco Employee

Hi hbremer ,

Hi hbremer ,

the configuration is pretty much the same as in single mode

for configuration example on active/active

PIX/ASA: Active/Active Failover Configuration Example

Configuration example fo Any connect 

Configure AnyConnect Secure Mobility Client with Split Tunneling on an ASA

the only difference in terms of configuration i can think of is that you call the webvpn related configuration under the admin context .

Thanks

Shakti

Beginner

Hi Shakti, Thank you.

Hi Shakti,

Thank you.

Highlighted
Enthusiast

Re: HI hbremer ,

Is anyconnect required for this?

 

Can you use open connect for this ssl vpn lb?