Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2033
Views
5
Helpful
7
Replies

AnyConnect headend with two DNS entry

Go to solution
mazin D
Level 1
Level 1

‎03-31-2021 03:55 AM

Hi,

in my AnyConnect VPN setup , the headend ASA firewall is behind Fortigate Firewall, Fortigate is connected to the Internet via 2 ISPs lines. There are two public IP addresses in the Fortigate (one from each ISP) pointing back to the outside interface of the ASA (VIPs). the ASA FQDN has two DNS entries (the 2 public IP addresses) . we are using the FQDN in the server list in the AnyConnect profile. the AnyConnect is working fine but when i shut the port in the Fortigate that connected to ISP1 to force the Anyconnect to use the second IP address , the connection is failing, checking the DART, the DNS entry always the first ISP IP address only. Any ideas on how to make the AnyConnect to use both publics IP addresses. ? by the way , I have site to site VPN to the same outside interface in the ASA and I can use either of the IPs to establish the tunnel. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to mazin D

‎04-01-2021 06:42 AM - edited ‎04-01-2021 12:38 PM

I am not entirely sure what you've configured, but you'd need to configure 2 FQDNs, with a unique certificate (or wildcard).

 

int-fw.example.co.uk - 31.1.10.12

int-fw-backup.example.co.uk - 31.1.150.4

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Rob Ingram
VIP
VIP

‎03-31-2021 04:05 AM

@mazin D 

You have defined the second FQDN defined as a backup server under the anyconnect configuration? Or a separate server list entry?

0 Helpful

Go to solution
mazin D
Level 1
Level 1
In response to Rob Ingram

‎03-31-2021 04:12 AM

Thanks Rob for your reply,

the FQDN is the same but with 2 IP addresses, for example :

int-fw.example.co.uk    31.1.10.12

                                    31.1.150.4

 

so when you do nslookup , you will get 2 IP addresses for the same FQDN

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎03-31-2021 04:35 AM

Ok, so it's one FQDN with two IP addresses defined. The client computer has probably cached the first IP address. DNS resolution would be independant of the actual ISP/ASA interface being reachable.

 

You should instead define 2 FQDNs, resolving to different IP addresses. Define the second as a backup server.

 

Example using the AnyConnect Profile Editor:-

 

vpn.PNG

Go to solution
mazin D
Level 1
Level 1
In response to Rob Ingram

‎04-01-2021 06:18 AM

Sorry Rob for the delay getting back to you , i was testing the solution.

i have added the backup server, the AnyConnect still failing to establish the tunnel to the backup server. we are using certificate for authentication, checking the DART , i can see that it is complaining about the server name is not the subject name :

 

certificate name verification has failed

 

server Name:

 int-fw-backup.example.co.uk

subject alternate name(s)

int-fw.example.co.uk

 

any ideas ?

 

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to mazin D

‎04-01-2021 06:42 AM - edited ‎04-01-2021 12:38 PM

I am not entirely sure what you've configured, but you'd need to configure 2 FQDNs, with a unique certificate (or wildcard).

 

int-fw.example.co.uk - 31.1.10.12

int-fw-backup.example.co.uk - 31.1.150.4

0 Helpful

Go to solution
mazin D
Level 1
Level 1
In response to Rob Ingram

‎04-08-2021 01:01 AM

thanks Rob , that solve the issue 

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎03-31-2021 04:46 AM

On a similar note and adding to what Rob shared, round robin DNS support for Anyconnect is still an enhancement.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo47577

 

Backup server configuration should work in this case.

 

Thanks,

Dinesh Moudgil

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful
Customers Also Viewed These Support Documents