Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1316
Views
5
Helpful
10
Replies

Cisco ASA AnyConnect with Active-Active ISP

Go to solution
houren
Level 1
Level 1

‎05-09-2022 02:31 AM

Hi Community,

 

I would like to confirm that Cisco ASA AnyConnect with dual active-active ISP is not supported?. from my checking, only active-standby ISP is supported through SLA feature, ie, when primary ISP for Anyconnect fails, secondary ISP for Anyconnect will be active.

 

is there any guide or documentation that mentions that dual active-active ISP is not supported?

 

Thank you

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎05-09-2022 04:16 AM - edited ‎05-09-2022 04:20 AM

I am wondering what exactly is not woking. AnyConnect can run on all your ISP-connections simultaneous and the configuration is pretty much straight forward.

What you need:

  • Two or more working ISPs (configured with load sharing or active passive does not matter). If not yet in place, the easiest option is to configure a static default route pointing to the second ISP with a higher Metric
  • Webvpn enabled on all these interfaces
  • NAT-Exemption on all Interfaces where AnyConnect should run
  • DNS-Entries for all public interfaces that should terminate AnyConnect connections
  • A certificate for the FQDN on your secondary ISP added to the ASA and assigned to the interface
  • likely url-entries in the tunnel-group to accept the additional FQDNs

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Rob Ingram
VIP
VIP

‎05-09-2022 02:40 AM

@houren I assume you are referring to using 1 ASA with 2 active ISP's? Were you planinng running ECMP using Traffic Zones? VPN's are not recommended using traffic zones. https://www.cisco.com/c/en/us/td/docs/security/asa/asa917/configuration/general/asa-917-general-config/interface-zones.html

 

0 Helpful

Go to solution
houren
Level 1
Level 1
In response to Rob Ingram

‎05-09-2022 02:45 AM

Hi Rob, 

 

yes you are right, 1 ASA with dual ISP. So users can connect to either ISP 1 or ISP 2 for anyconnect when connecting from home to office. No, i was not referring to ECMP.

 

Thank you. 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to houren

‎05-09-2022 02:49 AM - edited ‎05-09-2022 02:51 AM

@houren you cannot define a static route (of the same metric) to the same destination (i.e., 0.0.0.0/0.0.0.0) via a different interface.

So you'll have to infer it will not work.

0 Helpful

Go to solution
houren
Level 1
Level 1
In response to Rob Ingram

‎05-09-2022 02:53 AM

Thank you Rob,

 

Just to get your opinion, would converting the single unit ASA to multi context to support would be good idea? 

 

Thank you. 

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP

‎05-09-2022 02:42 AM

have you thought on having one profile in AnyConnect with the backup server setup. So if the primary ASA not available automatically try the backup ASA. makes it simple for the employees/users/clients.

 

Here if you interested to setup.

please do not forget to rate.
0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎05-09-2022 04:16 AM - edited ‎05-09-2022 04:20 AM

I am wondering what exactly is not woking. AnyConnect can run on all your ISP-connections simultaneous and the configuration is pretty much straight forward.

What you need:

  • Two or more working ISPs (configured with load sharing or active passive does not matter). If not yet in place, the easiest option is to configure a static default route pointing to the second ISP with a higher Metric
  • Webvpn enabled on all these interfaces
  • NAT-Exemption on all Interfaces where AnyConnect should run
  • DNS-Entries for all public interfaces that should terminate AnyConnect connections
  • A certificate for the FQDN on your secondary ISP added to the ASA and assigned to the interface
  • likely url-entries in the tunnel-group to accept the additional FQDNs
0 Helpful

Go to solution
houren
Level 1
Level 1
In response to Karsten Iwen

‎05-11-2022 06:09 PM

Thank you Karsten,

 

i manage to simulate in lab, 2 active ISP is doable for anyconnect. Just need to take note of the routing. Users can connect to either ISP 1 or ISP 2 for anyconnect when connecting from home to office. 

 

i am really not sure why in other community posts that mentions it is not doable, or only active-passive is supported. 

 

Thank you. 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to houren

‎05-11-2022 06:18 PM

Simply,

Dns will reply with one public ip let say isp1,

The asa use isp2 to forward traffic....

This make connect failed or traffic drop silently.

The problem you must match routing with dns resolve public ip.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎05-09-2022 04:22 AM

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118087-technote-asa-00.html

 

I don't know but can you try 
using EEM with IP SLA 
and action will be VPN anyconect logoff, 

note:- this is my opinion so it can work or not.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents