Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
567
Views
0
Helpful
4
Replies

Anyconnect VPN with multiple ISPs

Go to solution
Scott Whitney
Level 1
Level 1

‎02-13-2023 08:47 AM


Hello all,

I'm a little stumped, I have a 5525x with 2 ISPs and a MPLS.  I previously had Anyconnect on ISP1 (Outside) and VPN connections to my other sites (this is a datacenter) going through ISP 2 (BackupInternet).  Users could connect to the VPN and connect to remote sites over the site to site VPNs terminating on ISP2.  

webvpn
enable outside
hsts
enable
max-age 31536000
include-sub-domains
etc....

 

Due to some carrier issues, I had to flip the site to site VPN to go out ISP 1 (Outside).  Anyconnect users could now not connect to the remote sites (most likley a reverse path violation?).  My solution was to move the anyconnect to the backup internet

webvpn
enable BackupInternet  <- only change
hsts
enable
max-age 31536000

In routing my default route has never changed and has been out ISP 1.   in order to get my users to connect to anyconnect, i need to add a specific host route to their home public IP.  Users can now connect to anyconnect on backupInternet, however no internal resources are reachable.  I've been thinking of this all weekend and can't figure out the issue.

 

note both ISPs had a security level of 0.  i tried switching ISP 2 to security level 10.  this made no difference however.  Any suggestions would be appreciated.  if something is unclear, please ask and I'm more than happy to explain further.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎02-13-2023 10:41 AM - edited ‎02-13-2023 10:50 AM

@Scott Whitney you probably need a NAT exemption rule to/from that new interface - depending if there are other NAT rules for that new interface that may unintentially be translating the traffic.

nat (inside,BackupInternet) source static LAN LAN destination static RAVPN RAVPN

If that doesn't work run packet-tracer to simulate the traffic flow, please provide the output for review.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎02-13-2023 10:28 AM

Can you post more config bits, and some logs here for us to review?

After you move site to site towards ISP1, is any connection working as expected? and site-to-site failing? or both not working?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Scott Whitney
Level 1
Level 1
In response to balaji.bandi

‎02-13-2023 10:57 AM

the site to site tunnels work as expected.  I think the Rob may be onto something though, will respond there 

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎02-13-2023 10:41 AM - edited ‎02-13-2023 10:50 AM

@Scott Whitney you probably need a NAT exemption rule to/from that new interface - depending if there are other NAT rules for that new interface that may unintentially be translating the traffic.

nat (inside,BackupInternet) source static LAN LAN destination static RAVPN RAVPN

If that doesn't work run packet-tracer to simulate the traffic flow, please provide the output for review.

0 Helpful

Go to solution
Scott Whitney
Level 1
Level 1
In response to Rob Ingram

‎02-13-2023 11:07 AM

@Rob Ingram Thank you, you were 100% right.  I had that entry but for outside.  removed outside, added backup, up 100%.

thank you both for chipping im

0 Helpful
Customers Also Viewed These Support Documents