Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
822
Views
5
Helpful
1
Replies

VPN and Anyconnect failover

jonathandill76
Level 1
Level 1

‎05-24-2022 11:33 AM

I have a setup with 2 FTD's- primary and secondary and 2 ISP's. When my primary ISP fails, while we still have internet access via the secondary ISP, I loose vpn access. Can you recommend a setup that if my primary ISP fails, vpn would still work and public to private NAT. Below is an example of my setup

 

FTD

0/0 - 100.1.1.1

0/1 - 200.1.1.1

 

DNS for vpn:  vpn.myjob.com - 100.1.1.1 

NAT

100.1.1.2 to private IP 172.16.4.1

100.1.1.3 to private IP 172.16.4.3

100.1.1.4 to private IP 172.16.4.4

 

So when my primary ISP goes down 100.1.1.1 routing will use the next failover route 200.1.1.1

Internet works going out but no vpn and web services running on  172.16.4.1 to 172.16.4.4 cannot be accessed. Any suggestions on solutions?

 

 

Labels:
0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎05-24-2022 11:39 AM

@jonathandill76 you can configure the AnyConnect profile (using profile editor) with the primary FQDN (which resolves to 100.1.1.1) and a Backup Server with the secondary FQDN (which resolves to 200.1.1.1).

 

Example:

any.png

For the NAT configuration, you'd need additional NAT rules and update DNS to resolve to the different IP address range 200.1.1.x.

Customers Also Viewed These Support Documents