05-24-2010 05:26 AM - edited 02-21-2020 04:39 PM
I have 2 5520's. I want to load balance them for AC VPN Sessions. If I cant get this working I'm going to the old standby DNS Round Robin.
So I have a cluster IP Address and I've assigned a hostname to that IP.
Lets call it: ANYCON.TEST.COM/COS (I use the /COS to identify the group)
Now, as I understand it, when traffic comes to this site, My .xml profile will be checked and an intelligent decision will be made about which gateway the traffic should be directed to. So in my profile, I have this server list:
anycon1.test.com/cos
anycon2.test.com/cos
anycon.test.com/cos
Well it doesn't work. Not only that but if I understand this correctly I'd need to buy 3 certificates to make this work without the errors.
I get these errors. "Connection attempt has failed due to server communication errors." and "Unable to process response from anycon.test.com.
So far the documentation isnt helpful. Can anyone enlighten my poor ignorant self? A working example would be helpful.
Thanks,
Justin
05-24-2010 11:29 AM
I have the exact same setup. You do need 3 certificates:
anycon1.test.com has anycon1.test.com and anycon.test.com
anycon2.test.com has anycon2.test.com and anycon.test.com
What I had to do on mine was do the CSR for anycon.test.com from one of the devices, install the cert, then export the cert to import on the second device so that I had the anycon.test.com on both devices.
05-24-2010 12:16 PM
Thanks for the reply..
Could you help me out and tell me how you set up your server list in the .XML profiles ?
Would it be like this ??? :
I'm lost.. Thanks..
05-24-2010 12:30 PM
Is "cos" your usergroup? Are you including the IPs in case DNS doesn't work? If so that will cause an issue with your SSL certs anyway. What I would do is this:
That lets the load balancing config of the ASA handle the load balancing. Did you configure that?
vpn load-balancing
redirect-fqdn enable
cluster key clusterpass
cluster ip address 65.2.2.3 (or whatever anycon.test.com is)
cluster encryption
participate
05-24-2010 12:38 PM
Yes,
I configured this like you said:
vpn load-balancing
redirect-fqdn enable
cluster key clusterpass
cluster ip address 65.2.2.3 (or whatever anycon.test.com is)
cluster encryption
participate
except, I am not doing the redirect-fqdn as I'm no setting up reverse DNS entries.
I didnt want to use USER Groups because my users are not bright and would screw it up. Thats why I used the URL. I wanted to deploy a client preconfigured to the right group. I guess I can do that by pushing the .xml file.
Justin
05-24-2010 12:48 PM
Well, I think you're going to have a problem with your SSL certs then. AnyConnect essentially does an HTTPS://anycon.test.com then gets redirected and would expect HTTPS://anycon1.test.com or HTTPS://anycon2.test.com to connect to. If your SSL certs are with those names but you have the IP address instead then it will to an HTTPS://65.2.2.1 (or .2) and get an SSL cert mismatch error.
Now, regarding the user group, can I assume you did this:
tunnel-group cos webvpn-attributes
group-url https://anycon1.test.com/cos enable
You'll need that so that the previously mentioned HTTPS attempt works.
or if you stick with the IP address:
tunnel-group cos webvpn-attributes
group-url https://65.2.2.1/cos enable
05-24-2010 01:11 PM
yes, what kills me is I am trying put
anycon.test.com (thats the cluser ip)
into the AnyConnect client and it tells me 'invalid host enty, please re-enter'
05-24-2010 01:18 PM
If you don't have valid DNS names then I guess you'd have to do IP addresses for all the configs and .xml settings.
If you didn't do that setting to enable the group url then that could be part of the address error you're seeing.
05-24-2010 03:35 PM
I have valid dns names. I have a case open. It would be good to see a working example. Im trying to get that now.
I dont know why it doesnt work but I'm thinking of reverting to good old DNS Round Robin. I know that will work.
Thanks for your help, If you have any other ideas let me know.
Justin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide