So confused about AnyConnect Load Balancing

Unanswered Question
May 24th, 2010

I have 2 5520's. I want to load balance them for AC VPN Sessions. If I cant get this working I'm going to the old standby DNS Round Robin.

So I have a cluster IP Address and I've assigned a hostname to that IP.

Lets call it:  ANYCON.TEST.COM/COS      (I use the /COS to identify the group)

Now, as I understand it, when traffic comes to this site, My .xml profile will be checked and an intelligent decision will be made about which gateway the traffic should be directed to. So in my profile, I have this server list:

Well it doesn't work. Not only that but if I understand this correctly I'd need to buy 3 certificates to make this work without the errors.

I get these errors. "Connection attempt has failed due to server communication errors." and "Unable to process response from

So far the documentation isnt helpful. Can anyone enlighten my poor ignorant self? A working example would be helpful.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
sjbdallas Mon, 05/24/2010 - 11:29

I have the exact same setup.  You do need 3 certificates: has and has and

What I had to do on mine was do the CSR for from one of the devices, install the cert, then export the cert to import on the second device so that I had the on both devices.

jickfoo Mon, 05/24/2010 - 12:16

Thanks for the reply..

Could you help me out and tell me how you set up your server list in the .XML profiles ?

Would it be like this ??? :

I'm lost.. Thanks..

sjbdallas Mon, 05/24/2010 - 12:30

Is "cos" your usergroup?  Are you including the IPs in case DNS doesn't work?  If so that will cause an issue with your SSL certs anyway.  What I would do is this:


That lets the load balancing config of the ASA handle the load balancing.  Did you configure that?

vpn load-balancing 
redirect-fqdn enable
cluster key clusterpass
cluster ip address (or whatever is)
cluster encryption

jickfoo Mon, 05/24/2010 - 12:38


I configured this like you said:

vpn load-balancing

redirect-fqdn enable

cluster key clusterpass

cluster ip address (or whatever is)

cluster encryption


except, I am not doing the redirect-fqdn as I'm no setting up reverse DNS entries.

I didnt want to use USER Groups because my users are not bright and would screw it up. Thats why I used the URL. I wanted to deploy a client preconfigured to the right group. I guess I can do that by pushing the .xml file.


sjbdallas Mon, 05/24/2010 - 12:48

Well, I think you're going to have a problem with your SSL certs then.  AnyConnect essentially does an HTTPS:// then gets redirected and would expect HTTPS:// or HTTPS:// to connect to.  If your SSL certs are with those names but you have the IP address instead then it will to an HTTPS:// (or .2) and get an SSL cert mismatch error.

Now, regarding the user group, can I assume you did this:

tunnel-group cos webvpn-attributes
group-url enable

You'll need that so that the previously mentioned HTTPS attempt works.
or if you stick with the IP address:

tunnel-group cos webvpn-attributes
group-url enable
jickfoo Mon, 05/24/2010 - 13:11

yes, what kills me is I am trying put    (thats the cluser ip)

into the AnyConnect client and it tells me 'invalid host enty, please re-enter'

sjbdallas Mon, 05/24/2010 - 13:18

If you don't have valid DNS names then I guess you'd have to do IP addresses for all the configs and .xml settings.

If you didn't do that setting to enable the group url then that could be part of the address error you're seeing.

jickfoo Mon, 05/24/2010 - 15:35

I have valid dns names. I have a case open. It would be good to see a working example. Im trying to get that now.

I dont know why it doesnt work but I'm thinking of reverting to good old DNS Round Robin. I know that will work.

Thanks for your help, If you have any other ideas let me know.



This Discussion