Inbound AnyConnect using two ISPs with one ASA

alandean · ‎06-21-2017

I have a simple scenario; an ASA just for just inbound AnyConnect clients. I have 2 ISPs connected to the ASA and wish to use both simultaneously for inbound connections by simply configuring the DNS name ( ISP IP address on ASA) to one or the other on the AnyConnect client.

I am using static routes, so I only have a static route of - route ISP1 0.0.0.0 0.0.0.0 1.2.3.4

Trying to connect remotely, I get the error on the ASA, (30.30.30.30.being my client PC)

route failed to locate next hop for TCP from identity: 2.2.2.2 to ISP2 30.30.30.30

adding a 2nd default route to ISP2 with metric 2, as someone suggested, makes no difference.

I fully understand why it happens, but not sure how to configure it. I assume a connection coming one interface would go back out the same interface due to some session table, regardless of the static route. But then, how does that interface find it's default gateway?

Thanks for any help!

Marvin Rhoads · ‎06-21-2017

We generally cannot accomodate that feature on an ASA - as least not with both ISPs active. We can do active/standby with an IP SLA operation that monitors the health of one and then flips the default route to the other when the first one (or, more accurately, reachability of some address beyond it) goes away.

In the absence of a more specific route back to the originating client, return traffic leaving the ASA will only take the default gateway with the lowest metric - even if there are separate gateways for each interface.

The stateful aspect of the firewall only applies to the tcp connections or udp flows coming throught it - not the ingress interface of the traffic.