Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3539
Views
0
Helpful
22
Replies

Saml for Cisco Asa in Load Balancing Group

kirillsanin48
Level 1
Level 1

‎02-10-2023 11:38 AM

Hi! I have two CIsco Asa versions 9.18.2 combined into a balancing group. For example:
FQDN of the first node vpn-gw1.example.com
FQDN of the second node vpn-gw2.example.com
General address vpn.example.com
When setting up multi-factor authentication SAML in the Base Url line, I enter "vpn.example.com " there is a problem "Failed to generate SAML AuthnRequest.
Please tell me how to configure Cisco asa correctly to work Load Balancing SAML, which appeared with ASA version 9.17.1 .
Or will it be the right solution if there are two applications on the IDP server side for each ASA node?

Labels:
0 Helpful
22 Replies 22

jewfcb001
Level 4
Level 4
In response to vibobrov

‎09-20-2023 06:54 AM

@vibobrov  

If I use Global Load Balance, So Do I necessary configure same outside or public subnet also ? Sorry for more question . 

0 Helpful

vibobrov
Cisco Employee
Cisco Employee
In response to vibobrov

‎09-20-2023 06:58 AM

Check option 3b here: https://www.cisco.com/c/en/us/td/docs/security/asa/misc/anyconnect-faq/anyconnect-faq.html#Cisco_Reference.dita_105eff1b-bc10-4a33-b5e8-4768031f3782.

GSLB is used to direct traffic to the VIP in each DC. Once we reach that DC, VPN load balancing will direct the client to the correct ASA in that DC

0 Helpful

jewfcb001
Level 4
Level 4
In response to vibobrov

‎09-26-2023 08:33 PM

Hi @vibobrov , I think i would like to do same your blog . Global URL and GSLB . Is it same device?
Can I chose example 1 or 2 ?
Ex1.
asa.example.com match to 
ASA-1 : 1.1.1.1
ASA-2 : 2.2.2.2
OR
Ex2.
asa.example.com match to 
ASA-1 : 1.1.1.1 asa1.example.com 
ASA-2 : 2.2.2.2  asa2.example.com 

 

0 Helpful

jenniferjenny11267
Level 1
Level 1

‎09-26-2023 08:40 PM

It seems like you're facing an issue with SAML configuration on your Cisco ASA devices. To properly configure Load Balancing SAML with ASA version 9.17.1 or later, it's essential to ensure that your SAML Identity Provider (IDP) is correctly set up to work with the ASA devices.

Here are some steps to consider:

  1. Update ASA Firmware: Ensure that both of your ASA devices are running ASA version 9.17.1 or later to take advantage of the SAML teleserye Load Balancing features.

  2. IDP Configuration: Check your SAML Identity Provider (e.g., ADFS, Okta, etc.) configuration. Make sure it's set up to work with multiple service providers (SPs) or ASA devices in a load-balanced setup.

0 Helpful

jewfcb001
Level 4
Level 4

‎10-05-2023 11:09 PM

@vibobrov 
Hi 
In your blog  You have 3 Solution or not ?
1. VPN Load Balancing (Feature On ASA)
2. Base-URL Manipulation  (Changing the base-url setting to the specific ASA.) for Load Balance DNS need Global Load Balance
3. ASA Version 9.18.3 Enhancement  Feature (add a new local-base-url ) for Load Balance DNS need Global Load Balance

Am I correct? 

0 Helpful

vibobrov
Cisco Employee
Cisco Employee
In response to jewfcb001

‎10-06-2023 05:37 AM

Yes, those are the 3 solutions I'm aware of

0 Helpful

jpodvorec
Level 1
Level 1
In response to vibobrov

‎01-29-2024 05:20 AM

Hi and thanks for the excellent blog.

We have ASA 9.18.3+ Enhancement setup working on 2 ASAv. The problem we encounter is that when you try to go to the vip url, the ASA changes it to asa01 local-base-url. 

So from Azure we need to point to ASA01 local-base-url to make it work. It all works fine with load-balancing. ASA02 can go down and all continues, the problem is when ASA01 goes down then the whole vpn service is down.

I wonder if it is this behaviur that causes the problem with ASA changing url?

"One of the firewalls acts as a master unit and accepts HTTPS connection to the VIP. The role of the master is to redirect users to the least loaded ASA. Even when the least loaded ASA is the master unit itself, the redirect still takes place."

 

0 Helpful

PeterLMSD
Level 1
Level 1

‎11-23-2023 11:27 AM

I have noticed that there is a new option in 9.18(3)56 as per the help.

ciscoasa(config-webvpn-saml-idp)# ?

....
  local-base-url           (Optional) URL that uniquely resolves to this device
                           in DNS load balancing environments

  relay-key                Used to protect the integrity of information relayed
                           through the IdP. In DNS load balancing deployments,
                           this must be configured identically on all devices

I can't see `relay-key` documented or mentioned anywhere other than what I can see in the CLI and seems like it is important to have a static key that is shared across all SAML relay agents to handle the responses. But I can't see it documented anywhere.

Also having the similar issue when deploying SAML authentication across multiple clustered nodes where we will need to disable ASA load balancing and move to a F5 GSLB or similar externally managed load balancing system that seems a step backwards in comparison to the ASA based load balancing.

0 Helpful
Customers Also Viewed These Support Documents