Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
800
Views
5
Helpful
3
Replies

Dual ISP failover with VPN

noc
Level 1
Level 1

‎05-21-2019 12:21 PM

Hello,

 

Currently we have a primary and backup ISP in our environment, and the ISPs are set to failover if the connection to the primary drop off for whatever reason. It will fail back to the primary from the backup once the primary comes back online. The main issue is that the VPN does not work on the Backup ISP if the Primary were to go down. Below is our VPN configuration:

 

ip local pool VPN-Pool 192.168.99.1-192.168.99.254 mask 255.255.255.0
!
dynamic-access-policy-record DfltAccessPolicy
!
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256
crypto dynamic-map WAN_dyn_map 1 set ikev2 ipsec-proposal AES256
crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map WAN_AnyConnect 65535 ipsec-isakmp dynamic WAN_dyn_map
crypto map WAN_AnyConnect interface WAN
!
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable WAN
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
!
webvpn
enable WAN
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.4.00243-webdeploy-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/anyconnect-macos-4.4.00243-webdeploy-k9.pkg 2 regex "Intel Mac OS X"
anyconnect profiles kennesaw-vpn_client_profile disk0:/kennesaw-vpn_client_profile.xml
anyconnect enable
tunnel-group-list enable
!
group-policy DfltGrpPolicy attributes
banner value Welcome to Blank. By clicking Accept, you agree that all traffic will be monitored.
vpn-tunnel-protocol ikev2
address-pools value VPN-Pool
webvpn
anyconnect ask none default anyconnect
group-policy GroupPolicy_kennesaw-vpn internal
group-policy GroupPolicy_kennesaw-vpn attributes
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-allowed-networks
default-domain value cloud9ortho.com
webvpn
anyconnect profiles value kennesaw-vpn_client_profile type user
!
tunnel-group kennesaw-vpn type remote-access
tunnel-group kennesaw-vpn general-attributes
address-pool VPN-Pool
default-group-policy GroupPolicy_kennesaw-vpn
tunnel-group kennesaw-vpn webvpn-attributes
group-alias kennesaw-vpn enable

 
 
I think the following commands should be entered to enable VPN on the Backup interface:
 
crypto map WAN_AnyConnect interface Backup_interface
webvpn
  enable Backup_interface
crypto ikev2 enable Backup_interface
 
If I am incorrect please let me know.
 
Thanks
 
Labels:
0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎05-21-2019 09:45 PM - edited ‎05-21-2019 09:46 PM

Hi

 

Yes you're right, the config you posted has to be added. But you also need to the nat exempt to allow your vpn clients to reach your internal resources.

 

You can also push an anyconnect profile with a backup server to allow anyconnect to automatically connect on the secondary isp ip in case the primary goes down. A quick snippet of the anyconnect profile regarding the server configuration part:

 

<ServerList>

<HostEntry>

<HostName>A-VPN-CONNECTION-name</HostName>

<HostAddress>YOUR-PRIMARY-IP-OR-PRIMARY-FQDN</HostAddress>

<BackupServerList>

<HostAddress>YOUR-SECONDARY-IP-OR-SECONDARY-FQDN</HostAddress>

</BackupServerList>

</HostEntry>

</ServerList>


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

noc
Level 1
Level 1
In response to Francesco Molino

‎05-22-2019 05:27 AM

Thank you for your reply. We have the current NAT in our config already:

 

nat (LAN,WAN) source static any any destination static VPN-network VPN-network no-proxy-arp route-lookup

 

object network VPN-network
subnet 192.168.99.0 255.255.255.0

 

So another NAT would need to be added or would this work? Ideally I would like the users to use the same VPN-Network subnet when connected to VPN no matter which ISP is being used.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to noc

‎05-23-2019 05:41 AM

Yes because in case of failover the interface involved (where anyconnect clients will be connected to) isn't anymore wan but Backup_Interface.

Then add the same by changing the WAN name with Backup_Interface name.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents