Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
646
Views
5
Helpful
1
Replies

AnyConnect Management Tunnel Load Balance via DNS

salsamsisswe
Level 1
Level 1

‎07-21-2021 10:54 AM

The AnyConnect Management VPN documentation indicates that I can only have one entry in the server list. I have two ASA Headends at different locations. I want to load balance the management VPN connections between them without having to manually manage. Is it possible to configure the management VPN on two separate ASA head-ends and then use DNS to load balance between them? Is the management VPN sticky to only one ASA or can it connect to a second ASA via dns round robin.=? The config will still only have one server entry but will connect to 2 ASA head end via DNS round robin.  Understood about the risk of connection difficulty if one site goes down.

Labels:
1 Reply 1

Octavian Szolga
Level 4
Level 4

‎07-21-2021 12:54 PM

Hi,

 

I haven't tried this scenario, but I don't see any issues with it, as long as you follow some common sense rules like:

- both ASA's use the same 'valid' certificate (valid = signed by a public/known CA or a private/trusted PKI - for the same DNS FQDN pointing to both ASA IPs);

- same tunnel-group/group-policy definition/settings (like group-alias, url-alias, authentication settings; all except IP pools)

 

Of course, you will not have any transparent failover so to speak.

If you have a reasonable L2 link between locations I think you can even use ASA VPN load-balancing (one virtual IP on the outside/vpn interface - same L2 segment - and different inside L3 interconnect subnets).

 

BR,

Octavian

 

 

0 Helpful
Customers Also Viewed These Support Documents