Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1447
Views
0
Helpful
3
Replies

AnyConnect with two ISPs in ASA Active/Standby pair

Cisco Customer
Level 1
Level 1

‎12-31-2015 12:36 PM - edited ‎02-21-2020 08:36 PM

I thought this design would be "simple" and it's proven to be anything but..

There are two ASAs configured in active/standby failover.  There are also two ISPs, correctly configured with tracked routing for ISP and ASA failover.  Those basics work as expected.

For AnyConnect, what I wanted to do is simplify the user experience so they didn't have to know what ISP they were logging into - a primary and backup ISP on the same ASA pair - and let AnyConnect do the magic for them.  This particular AnyConnect configuration is a split-tunnel for the inside network; only internal traffic traverses the VPN tunnel.  With my present level of understanding, the only way I've been able to make it work is as follows:

  • User Logs into the ASA's Primary ISP SSLVPN site - has to choose a connection profile  (primary or backup)
  • The user chooses primary with correct user & pass & navigates to the AnyConnect page and launches AnyConnect
  • AnyConnect installs on endpoint, initiates connection as prescribed via the "primary" group (connection profile)'s group policy
  • Things work

If the user logs into the ASA's Backup ISP SSLVPN site and chooses the "backup" group, that also works. 

However, if the user logs into the ASA Primary ISP IP and chooses "backup" or logs into the ASA Backup ISP IP and chooses "primary" then the connection doesn't work.  Or if the user directly launches AnyConnect Client on their computer, they may not know what ISP the client connected to so they may incorrectly choose primary when it really connected to backup or vice versa.  What I ultimately want to prevent is the user having to make a choice - they don't need to know if primary or backup ISP is working, I only want the user to enter their user & pass and connect.

In my ASA NAT config, I have two NAT policies, one for each VPN, per ISP.  Something to the extent of:

nat (inside, outside1) source static inside-net inside-net destination static vpn-a vpn-a no-proxy-arp route-lookup
nat (inside, outside2) source static inside-net inside-net destination static vpn-b vpn-b no-proxy-arp route-lookup

Where vpn-a is the address pool for the primary isp and vpn-b is the address pool for the backup isp.

And where Connection Profile AnyConnect-A (primary ISP) maps to vpn-a and Connection Profile AnyConnect-B (backup ISP) maps to vpn-b.

Since there doesn't seem to be a way to:

  • lock a particular web portal configuration to a specific outside interface
    • said another way, bind a specific portal customization with the corresponding group policy to satisfy NAT requirements
  • auto-select the group (connection profile) based on the ASA's vpn peer ip
  • achieve something more simplified without violating overlapping vpn ip pools on > 1 outside interfaces
...I can't seem to achieve the design goal of an AnyConnect VPN configuration that puts the user in the correct vpn pool on the correct interface without the user having to make a decision they don't understand.
Perhaps I'm completely wrong and just need some sound advice for managing this scenario.  After the last few days of googling, I'm hoping someone has been in this scenario before with a solution.
Thank you!
Travis

2 people had this problem
Labels:
0 Helpful
3 Replies 3

Richard Bradfield
Level 6
Level 6

‎12-31-2015 04:47 PM

Hi,

You do seem to have over complicated the setup.

I just have one profile in AnyConnect with the backup server setup. So if the primary ASA not available automatically try the backup ASA. makes it simple for the clients!

The way i read your setup one ISP is connected to the primary the other to the failover ASA. So really only one ISP active at any one time. you only really need one pool of addresses as well.

Happy New Year

Richard

0 Helpful

Cisco Customer
Level 1
Level 1
In response to Richard Bradfield

‎02-09-2016 01:43 PM

I'm quite sure I was overthinking it since the between the ASA lacking some hypothetical "must-have" feature that is inspired by smithing mythril with an Intel CPU ..

... or more realistically I don't have HSRP/BGP capable ISPs and was attempting a poor man's solution to VPN.  Ultimately I have to make a choice with the available technology.  So I picked one ISP and configured VPN for that and my higher-ups have to deal with the risk of no resiliency for AnyConnect if that ISP goes down. 

0 Helpful

niranjan.ghodke
Level 1
Level 1

‎08-16-2019 08:46 AM

Spoiler
 

have you found any solution for for above scenario.

0 Helpful
Customers Also Viewed These Support Documents