I am looking into a DR plan where should a primary site go down users with the Cisco anyconnect client will be able to VPN to a second site.
The ASA I am configuring is a 5512x for the 2nd site.
The main site has a pair of 5510's in a HA pair.
Is it possible to setup a secondary Remote Access VPN connection for users to connect to? If I was to configure Anyconnect RA VPN on the ASA on the 2nd I would need to purchase an SSL cert in order to configure this?
Any advice would be greatly appreciated!
Yes, that's a common practice. Most companies with a DR site have vpn.company.com and vpn2.company.com or something similar. vpn going to the primary site and vpn2 going to the DR site. You do not need a signed SSL certificate for AnyConnect to work, but it is a lot less of a pain if you use one.
Thanks for that, that was my thinking, I have been playing with the anyconnect setup and couldnt see how you can get around using an SSL certificate (in the ASDM) - Any pointers?
By default it should use the self-signed certificate created by the ASA. I'm not a big fan of the ASDM so I'll have to poke around in mine and see if I can find what you're talking about.
AnyConnect does work with an ASA using a self signed certificate. But when you do the user gets a warning when AnyConnect initiates the connection, basically saying they are connecting to an untrusted site and asking the user for permission to proceed. If your users are used to AnyConnect just connecting and then suddenly they get this warning it may cause some consternation.
Depending on how important a smooth user experience is to you and to your management, it may be worth the price to purchase a public certificate for the DR ASA.
You probably want to look into the configuration of the profile used with AnyConnect on the ASA. One of the options there is to configure a backup server. If the primary server is not available AnyConnect will just connect to the DR site and the user does not have to do anything (and they probably would not notice anything unless they are especially observant of details during connection).
Not sure if this will work as they do use RSA keys, I am going to re IP the RSA server as its virtual which I hope to test in the coming days. I know what you mean with SSL vs no SSL so I will leave to management to decide!
I have implemented this for a customer who does use RSA one time password token codes to authenticate and it works fine. The primary ASA (failover pair) is configured to authenticate using RSA (via Radius) and the backup ASA (failover pair) is also configured to authenticate using RSA (via Radius) and the Radius server is configured to recognize both ASA as authentiction clients. We have an authentication server at the primary site and a backup authentication server at the DR site. ASAs are configured with both servers so each ASA can authenticate with either of the servers (and in fact I think that they use both and do some load sharing). Works very smoothly.
thanks for the advice above, RSA replication did not work the way we wanted it to (using 3rd party tools) however I have setup a Radius server which works with the ASA. Will test the Anyconnect RA VPN when I am back on site.