Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
372
Views
3
Helpful
5
Replies

How to load balance connecting users across 3 Anyconnect VPNs?

Go to solution
jmaxwellUSAF
VIP
VIP

‎02-15-2024 12:30 PM - edited ‎02-15-2024 12:44 PM

Hello.

The enterprise has three Anyconnect RA VPNs. Users tend to all use the same connection profile Anyconnect1.mydomain.com

QUESTION: What is the solution so that technology load-balances the incoming connecting users across the three ASA 1120s that use an FTD image?

I researched below links. They did not provide solution (The OGS technology seems to only force users to the nearest ASA, not the intended least used.

AnyConnect Optimal Gateway Selection Troubleshoot Guide - Cisco

Cisco AnyConnect Mobile Platforms Administrator Guide, Release 4.1 (niap-ccevs.org)

Please help. Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to jmaxwellUSAF

‎02-15-2024 01:08 PM

@jmaxwellUSAF using XML profiles to manually specify which primary FTD to connect to is the least best solution.

You create a VPN XML profile using the Secure Client (AnyConnect) VPN Profiler Editor and create 3 different configurations, using a different primary/backup server. The XML profile should be deployed to different groups of users (by AD group membership), the file is stored:- C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile. You can use Windows GPO to copy the XML profile to the computers to deploy the configuration settings.

I suggest you do not upload the XML profile to the headend (FTD/ASA) as well as manually deploying (as above). If you do, when the user connects to the FTD they will download the profile to the clients, which would overwrite their configuration.

 

View solution in original post

5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎02-15-2024 12:36 PM

@jmaxwellUSAF if the 3 ASAs have layer 2 connectivity you can use the VPN Load Balancer functionality to load balanace the user sessions across the ASA or a third party load balancer, such as F5.

Alternatively you can configure the anyconnect XML profile with a primary ASA server and backup server(s), but that will only use the backup servers if the primary has failed.

Go to solution
jmaxwellUSAF
VIP
VIP
In response to Rob Ingram

‎02-15-2024 12:48 PM

Thank you for your reply.

Relevant is that we are soon migrating to use only FTD images on our ASAs. The otherwise great pasted link states....

"Load Balancing is currently only supported on ASA software, not FTD", --so this option does not seem to be available. 

Also it states, "All devices must be on the same inside and outside IP network"-- Our ASAs each have unique public IP subnets. 

So then, is there a solution to achieve the original intent?

Thank you.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jmaxwellUSAF

‎02-15-2024 12:54 PM

@jmaxwellUSAF FTD VPN Load Balancer has subsequently been introduced on newer FTD version (from 7.0) if using the FMC for management. https://integratingit.wordpress.com/2021/06/13/ftd-vpn-load-balancing/

Correct you need layer 2 connectivity for the FTD/ASAs to use VPN Load Balancer.

So you'd need to use a third party load balancer, or manual load balancing by deploying different XML profiles with different primary/backup FTD headends to different groups of users.

Go to solution
jmaxwellUSAF
VIP
VIP
In response to Rob Ingram

‎02-15-2024 12:59 PM

"So you'd need to use... manual load balancing by deploying different XML profiles with different primary/backup FTD headends to different groups of users" -- So the idea is to assign equal amounts of users to different XML profiles?

Do these XML profiles live in the OS of the end-user workstations? 

How is this done at scale

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jmaxwellUSAF

‎02-15-2024 01:08 PM

@jmaxwellUSAF using XML profiles to manually specify which primary FTD to connect to is the least best solution.

You create a VPN XML profile using the Secure Client (AnyConnect) VPN Profiler Editor and create 3 different configurations, using a different primary/backup server. The XML profile should be deployed to different groups of users (by AD group membership), the file is stored:- C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile. You can use Windows GPO to copy the XML profile to the computers to deploy the configuration settings.

I suggest you do not upload the XML profile to the headend (FTD/ASA) as well as manually deploying (as above). If you do, when the user connects to the FTD they will download the profile to the clients, which would overwrite their configuration.

 

Customers Also Viewed These Support Documents