Hello all,
I want to know is there a way to configure the anyconnect client to access two VPN gateways by the same DNS name and use one as a primary and one as a secondary. for example vpn.mycompany.com would = (Primary IP) (Secondary IP) and the cleint would only use the secondary if the primary is unavailable? In this situation I have anyconnect running on two standalone ASA’s that have access the same internal resources but there are not setup in an active/passive HA pair.
You need the option in your AnyConnect’s profile config.
Page 12
See VPN Load-Balancing (CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.12 - High Availability Options [Cisco ASA 5500-X Series Firewalls] - Cisco). The vpn.mycompany.com would be a floating IP and members of the VPN pool would each accept VPN client sessions. This way you are making better use of your resources as opposed to active/standby. Also, within the AnyConnect profile settings, be sure to specify the backup list (previously mentioned) and enable Optimal Gateway Path Selection (OGPS). OGPS will record the best path based on RTT results updating them around every 14 days.
If the firewalls are in the same subnet you may use vpn load balancing feature on the ASAs, if they are in different location you may use OGS (Optimal Gateway Selection), they won’t have the same FQDN, but you may use the same domain with different A records and have one single wildcard certificate.
Thank you so much! I knew there had to be a documented way I just wasn’t sure off the top of my head.
Now, if you only want to allow users to connect to the secundar when the primary is not available then you want to use the gateway backup list on the AnyConnect Client Profile (then again you’ll need to use different A records) if using the same FQDN is a must you may configure DNS failover, and forget about any fancy AnyConnect configuration.
You’re technically correct, however it is best to clarify that VPN load balancing does not require same location. The same subnet is required, however this subnet may be located across numerous locations. The only dependency to keep in mind is the latency must not exceed 200ms. For the certificate, I would keep vpn.mycompany.com as the Load Balanced IP of the VPN cluster and would recommend using Subject Alternative Names (SAN) for each VPN participant (avoiding wildcard certificates). This is primarily a cost saving exercise though.
@mikedussan We are going the route of keeping the same FQDN and using “dns made easy” to allow for the fail over, have you tried this method and any advice you have? From what I can see you can poll the ASA using several different methods such as sending and https 200 heartbeat but I don’t think the ASA will respond to that, if you leave it blank I believe the default is ICMP.
@ irishpacket thanks for the clarification.