Re: Cisco AnyConnect VPN with new ISP connection (new public IP)

sumjoy_vicky · ‎08-14-2024

Hi,

We have two Cisco ASA running AnyConnect with VPN-loadbalancing enabled. both ASA have one outside interface towards ISP. Now I want to connect one ASA with new ISP and new public IP on new interface (let's say outside1).

How can we achieve this design considering below?

1. Without disturbing existing VPN load balancing.

2. new link will only use to connect remote users connecting through new ISP.

3. Both ISP connection should work at a time. However, remote users who will connect through new ISP link, the return traffic also go out from same link.

3. want to use same user pool for new connection.

4. certificate based authentication enabled.

Please see attached design.

Thanks.

ccieexpert · ‎08-14-2024

unfortunately you can only define one public interface.

are you trying to load balance over new interface or just connect to it without vpn load balancing ?

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/vpn/asa-99-vpn-config/vpn-ha.html

Q.	If we enable SSL VPN on multiple interfaces, is it possible to implement VPN load balancing for both of the interfaces?
A.	You can define only one interface to participate in the VPN load-balancing group as the public interface. The idea is to balance the CPU loads. Multiple interfaces converge on the same CPU, so the concept of VPN load balancing on multiple interfaces does not improve performance.

**Please rate as helpful if this was useful**

sumjoy_vicky · ‎08-14-2024

Hi @ccieexpert,

Thanks for your response. I'm looking to connect additional connection without load balancing (don't want to touch existing vpn load-balancing).