05-09-2022 02:31 AM
Hi Community,
I would like to confirm that Cisco ASA AnyConnect with dual active-active ISP is not supported?. from my checking, only active-standby ISP is supported through SLA feature, ie, when primary ISP for Anyconnect fails, secondary ISP for Anyconnect will be active.
is there any guide or documentation that mentions that dual active-active ISP is not supported?
Thank you
Solved! Go to Solution.
05-09-2022 04:16 AM - edited 05-09-2022 04:20 AM
I am wondering what exactly is not woking. AnyConnect can run on all your ISP-connections simultaneous and the configuration is pretty much straight forward.
What you need:
05-09-2022 02:40 AM
@houren I assume you are referring to using 1 ASA with 2 active ISP's? Were you planinng running ECMP using Traffic Zones? VPN's are not recommended using traffic zones. https://www.cisco.com/c/en/us/td/docs/security/asa/asa917/configuration/general/asa-917-general-config/interface-zones.html
05-09-2022 02:45 AM
Hi Rob,
yes you are right, 1 ASA with dual ISP. So users can connect to either ISP 1 or ISP 2 for anyconnect when connecting from home to office. No, i was not referring to ECMP.
Thank you.
05-09-2022 02:49 AM - edited 05-09-2022 02:51 AM
@houren you cannot define a static route (of the same metric) to the same destination (i.e., 0.0.0.0/0.0.0.0) via a different interface.
So you'll have to infer it will not work.
05-09-2022 02:53 AM
Thank you Rob,
Just to get your opinion, would converting the single unit ASA to multi context to support would be good idea?
Thank you.
05-09-2022 03:00 AM - edited 05-09-2022 03:02 AM
@houren well RAVPN is supported in multi-context, so yes that might work for you.
though, review the unsupported features
05-09-2022 02:42 AM
have you thought on having one profile in AnyConnect with the backup server setup. So if the primary ASA not available automatically try the backup ASA. makes it simple for the employees/users/clients.
Here if you interested to setup.
05-09-2022 04:16 AM - edited 05-09-2022 04:20 AM
I am wondering what exactly is not woking. AnyConnect can run on all your ISP-connections simultaneous and the configuration is pretty much straight forward.
What you need:
05-11-2022 06:09 PM
Thank you Karsten,
i manage to simulate in lab, 2 active ISP is doable for anyconnect. Just need to take note of the routing. Users can connect to either ISP 1 or ISP 2 for anyconnect when connecting from home to office.
i am really not sure why in other community posts that mentions it is not doable, or only active-passive is supported.
Thank you.
05-11-2022 06:18 PM
Simply,
Dns will reply with one public ip let say isp1,
The asa use isp2 to forward traffic....
This make connect failed or traffic drop silently.
The problem you must match routing with dns resolve public ip.
05-09-2022 04:22 AM
I don't know but can you try
using EEM with IP SLA
and action will be VPN anyconect logoff,
note:- this is my opinion so it can work or not.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide