03-27-2024 09:16 AM
Hello all:
We're looking to implement VPN load balancing across 2 Cisco ASA 5555X in our environment. These 2 ASAs are currently acting as individual gateways and we have an alias configured in the AnyConnect profile for them.
<ServerList>
<HostEntry>
<HostName>VPN</HostName>
<HostAddress>vpn.internet.com</HostAddress>
</HostEntry>
<HostEntry>
<HostName>VPN2</HostName>
<HostAddress>vpn2.internet.com</HostAddress>
</HostEntry>
</ServerList>
Can I add another host entry for the Cluster IP and have the option available to users in Anyconnect along with the existing option for the 2 individual gateways?
03-27-2024 09:20 AM
03-27-2024 09:39 AM
Thank you for this. Fairly recent too. Nice to see official Cisco documentation for implementations like this.
03-27-2024 09:21 AM
@OlayinkaRookie if using VPN Load Balancer you would only specify the Load Balancer FQDN/VIP not the individual ASA FQDN/IP address.
You could amend the client XML profile as you suggested, but if the users connects directly to the ASA it's not going to be load balanced to the least active ASA, which defeats the purpose of the load balancer.
03-27-2024 09:30 AM
Thanks, and I agree Rob. We want to run a pilot and would like users to continue to connect to individual gateways until we know that the load balancing works as expected, then we take away the individual gateways from the host list.
03-27-2024 09:34 AM
@OlayinkaRookie ok understood. Yes, you can still connect directly to the ASA with the load balancer configured for the pilot, amend the XML profile to add the LB FQDN as another entry.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide