11-29-2012 08:01 AM - edited 02-21-2020 06:31 PM
I am setting up AnyConnect on a ASA that has two ISP connected on different public interfaces. I am using a 5515X with the 8.6 code. At the current time I am using a self sign certificate. I can get AnyConnect to work on one of the public interfaces but when I try to enable Anyconnect on the secondary interface, I cannot establish an anyconnect session on either of the public interfaces.
I need to set it up so that I can connect from either ISP. There will be a Primary ISP but in the event there is a routing problem with the ISP, I need for users to connect via either ISP. Havent been able to find any info that says this is or isnt possible.
I was trying to use the same self signed cert for both public interfaces. I am going to try to use a separate self signed cert and see if that makes any difference but wanted to see if anyone else had done this.
Thanks,
Ron
12-14-2012 02:11 PM
Hello Ronald,
Two ISPs are only supported in a primary/backup-scenario. When the primary ISP fails (which is tested by IP SLA) then the backup ISP jumps in. This is done by enabling the default-route on the backup-ISP and disabling the default-route on the primary ISP. But it's not possible to use them both at the same time.
Please rate helpful posts
Best Regards,
Eugene
11-17-2013 12:34 PM
This is a bit of a problem and limitation with AnyConnect for my company.
We have a public internet interface and another interface terminating the wireless lan. Previously with the IKEv1 original ipsec client we have no routing between the wlan and internet. just another connection entry. Now with IKEv2 IPsec and AnyConnect we have to redesign our whole wireless lan to route the traffic out to the internet interface. Terrible situation for us.
We're running v9.1(3) on;
HA pair ASA5550 on one isp and wlan
HA pair ASA5550 on another isp and wlan
Shared license server ASA5550 with 5000 AnyConnect licenses
HA pair ASA5510 for partner access on isp 1
HA pair ASA5510 for specialist group on ISP 1 and wlan
Currently achieving 2000 ipsec IKEv1 sessions spread across them all on ISP and Wlan.
I wonder if we could build an ACL to let the traffic out through the ASA and then terminate the vpn's on the interface it's exiting? Any ideas to save me having to redesign the whole businesses ASA and wireless lan deployment?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide