Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
365
Views
0
Helpful
1
Replies

Anyconnect VPN Load Balancing

Gavin Sparks
Level 1
Level 1

‎03-19-2020 03:52 AM - edited ‎03-19-2020 03:54 AM

Hi,

We peer with our ISP over dual Internet Circuits.  Our Anyconnect infrastructure is a pair of ASA's with a Load Balance address. Pretty standard.

Currently we are advertise the public addresses for the Anyconnect infrastructure out of both our uplinks to our ISP via BGP with 1 link being preferred over the other (AS Prepend/Local Pref) style. So effectively one link is the backup.

Now my question is if we manipulated BGP so that the outside Anyconnect GW1 IP  preferred one link and the Anyconnect GW-2 IP the other link with the LB address down the Primary. Presumably the clients would hit the LB address then connect down either the A or B uplinks to the physical addresses?  Would that work or completely break it?

Labels:
0 Helpful
1 Reply 1

Cristian Matei
VIP Alumni
VIP Alumni

‎03-19-2020 04:31 AM

Hi,

 

   It's gonna work perfectly; to avoid potential problems in the "redirect" phase, ensure that if there are any other layer 3 devices between your ASA pair and your ISP, those devices don't have any sort of stateful firewalls configured.

   If it doesn't work, post here the issues you ran into, cause it has to work.

 

Regards,

Cristian Matei.

0 Helpful
Customers Also Viewed These Support Documents