Solved: Anyconnect / Multiple ASA VPNs

GRANT3779 · ‎02-12-2014

Hi All,

I basically have 3 ASAs across various sites.

I want all of these ASAs to provide VPN access into our Network.

I've got the jist of setting them up individually etc.. and providing VPN access.

However my query is, can I combine all of these Ingress points to the Anyconnect client so that if one ASA is down, the client tries another one and so forth? Is there a way for me to present all 3 options via the Anyconnect Client?

Richard Burts · ‎02-12-2014

The VPN load balancing/clustering is a very nice feature. The last time I looked it required that all the ASAs be on a comon subnet for the interface there the VPN terminates. Since the original poster tells us about 3 ASAs across various sites I wonder if they could be on a common subnet.

Another alternative that should work for the original poster is to use the XML profile that is associated with AnyConnect. In the XML profile there is an option to configure backup servers. I have used this feature and it worked pretty well for me. I had a profile for each site and in the profile I configured each of the other ASAs as backup server. then if a user attempted to connect to their usual ASA and it was not available then the AnyConnect client would just initiate a connection to one of the other servers. Usually it was pretty transparent to the user.

HTH

Rick

HTH

Rick

View solution in original post

Poonam Garg · ‎02-12-2014

Yes Grant, its possible..

Clustering (or VPN load balancing, as it is more commonly known) can be used to divide AnyConnect remote client sessions between the available ASA devices without the need for identical hardware and software.

After a failover on one ASA occurs, any AnyConnect client sessions that the failed ASA had been responsible for must be re-created on the newly delegated ASA (by the master ASA). However, if connected using a client with DPD enabled, the client can automatically reconnect to the virtual cluster address (VIP) for session reestablishment.

Clustering can be configured on an ASA 5510 only with an installed Security Plus license, or on an ASA 5520 and later device. The devices are also required to have an installed Triple Digital Encryption Standard/Advanced Encryption Standard (3DES/AES) license for operation. If the load-balancing module cannot detect the presence of a 3DES/AES license, it becomes unavailable.

The load balancing (VPN cluster) configuration window available in the ASDM at Configuration > Remote Access VPN > Load Balancing.

For more details :

Refer "Chapter 8- AnyConnect High Availability and Performance" of ccnp_security_vpn_642-647_official.pdf

If you find this post useful then kindly rate.

Richard Burts · ‎02-12-2014

The VPN load balancing/clustering is a very nice feature. The last time I looked it required that all the ASAs be on a comon subnet for the interface there the VPN terminates. Since the original poster tells us about 3 ASAs across various sites I wonder if they could be on a common subnet.

Another alternative that should work for the original poster is to use the XML profile that is associated with AnyConnect. In the XML profile there is an option to configure backup servers. I have used this feature and it worked pretty well for me. I had a profile for each site and in the profile I configured each of the other ASAs as backup server. then if a user attempted to connect to their usual ASA and it was not available then the AnyConnect client would just initiate a connection to one of the other servers. Usually it was pretty transparent to the user.

HTH

Rick

HTH

Rick

Marvin Rhoads · ‎02-12-2014

As Rick notes, VPN Cluster is for when you are spreading the load across ASAs at a single site.

The backup server option he mentions is the one to use for VPN site diversity.