Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1990
Views
0
Helpful
2
Replies

Dual Public Interfaces on ASA and AnyConnect

RonaldNutter
Level 1
Level 1

‎11-29-2012 08:01 AM - edited ‎02-21-2020 06:31 PM

I am setting up AnyConnect on a ASA that has two ISP connected on different public interfaces.  I am using a 5515X with the 8.6 code.  At the current time I am using a self sign certificate.  I can get AnyConnect to work on one of the public interfaces but when I try to enable Anyconnect on the secondary interface, I cannot establish an anyconnect session on either of the public interfaces. 

I need to set it up so that I can connect from either ISP.  There will be a Primary ISP but in the event there is a routing problem with the ISP, I need for users to connect via either ISP.  Havent been able to find any info that says this is or isnt possible.

I was trying to use the same self signed cert for both public interfaces.  I am going to try to use a separate self signed cert and see if that makes any difference but wanted to see if anyone else had done this.

Thanks,

Ron

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Eugene Korneychuk
Cisco Employee
Cisco Employee

‎12-14-2012 02:11 PM

Hello Ronald,

Two ISPs are only supported in a primary/backup-scenario. When the  primary ISP fails (which is tested by IP SLA) then the backup ISP jumps  in. This is done by enabling the default-route on the backup-ISP and  disabling the default-route on the primary ISP. But it's not possible to  use them both at the same time.

Please rate helpful posts

Best Regards,

Eugene

0 Helpful

nmfoxton
Level 1
Level 1
In response to Eugene Korneychuk

‎11-17-2013 12:34 PM

This is a bit of a problem and limitation with AnyConnect for my company.

We have a public internet interface and another interface terminating the wireless lan. Previously with the IKEv1 original ipsec client we have no routing between the wlan and internet. just another connection entry. Now with IKEv2 IPsec and AnyConnect we have to redesign our whole wireless lan to route the traffic out to the internet interface. Terrible situation for us.

We're running v9.1(3) on;

HA pair ASA5550 on one isp and wlan

HA pair ASA5550 on another isp and wlan

Shared license server ASA5550 with 5000 AnyConnect licenses

HA pair ASA5510 for partner access on isp 1

HA pair ASA5510 for specialist group on ISP 1 and wlan

Currently achieving 2000 ipsec IKEv1 sessions spread across them all on ISP and Wlan.

I wonder if we could build an ACL to let the traffic out through the ASA and then terminate the vpn's on the interface it's exiting? Any ideas to save me having to redesign the whole businesses ASA and wireless lan deployment?

0 Helpful
Customers Also Viewed These Support Documents