So confused about AnyConnect Load Balancing

Unanswered Question
May 24th, 2010

I have 2 5520's. I want to load balance them for AC VPN Sessions. If I cant get this working I'm going to the old standby DNS Round Robin.

So I have a cluster IP Address and I've assigned a hostname to that IP.

Lets call it:  ANYCON.TEST.COM/COS      (I use the /COS to identify the group)

Now, as I understand it, when traffic comes to this site, My .xml profile will be checked and an intelligent decision will be made about which gateway the traffic should be directed to. So in my profile, I have this server list:

anycon1.test.com/cos

anycon2.test.com/cos

anycon.test.com/cos

Well it doesn't work. Not only that but if I understand this correctly I'd need to buy 3 certificates to make this work without the errors.

I get these errors. "Connection attempt has failed due to server communication errors." and "Unable to process response from anycon.test.com.

So far the documentation isnt helpful. Can anyone enlighten my poor ignorant self? A working example would be helpful.

Thanks,

Justin

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
sjbdallas Mon, 05/24/2010 - 11:29

I have the exact same setup.  You do need 3 certificates:

anycon1.test.com has anycon1.test.com and anycon.test.com

anycon2.test.com has anycon2.test.com and anycon.test.com

What I had to do on mine was do the CSR for anycon.test.com from one of the devices, install the cert, then export the cert to import on the second device so that I had the anycon.test.com on both devices.

jickfoo Mon, 05/24/2010 - 12:16

Thanks for the reply..

Could you help me out and tell me how you set up your server list in the .XML profiles ?

Would it be like this ??? :


 
   anycon.test.com/cos
   anycon.test.com/cos
  
    65.1.1.1
    65.2.2.2
  
 

I'm lost.. Thanks..

sjbdallas Mon, 05/24/2010 - 12:30

Is "cos" your usergroup?  Are you including the IPs in case DNS doesn't work?  If so that will cause an issue with your SSL certs anyway.  What I would do is this:


 
    anycon.test.com
    anycon.test.com

   cos
 

That lets the load balancing config of the ASA handle the load balancing.  Did you configure that?

vpn load-balancing 
redirect-fqdn enable
cluster key clusterpass
cluster ip address 65.2.2.3 (or whatever anycon.test.com is)
cluster encryption
participate


jickfoo Mon, 05/24/2010 - 12:38

Yes,

I configured this like you said:

vpn load-balancing

redirect-fqdn enable

cluster key clusterpass

cluster ip address 65.2.2.3 (or whatever anycon.test.com is)

cluster encryption

participate

except, I am not doing the redirect-fqdn as I'm no setting up reverse DNS entries.

I didnt want to use USER Groups because my users are not bright and would screw it up. Thats why I used the URL. I wanted to deploy a client preconfigured to the right group. I guess I can do that by pushing the .xml file.

Justin

sjbdallas Mon, 05/24/2010 - 12:48

Well, I think you're going to have a problem with your SSL certs then.  AnyConnect essentially does an HTTPS://anycon.test.com then gets redirected and would expect HTTPS://anycon1.test.com or HTTPS://anycon2.test.com to connect to.  If your SSL certs are with those names but you have the IP address instead then it will to an HTTPS://65.2.2.1 (or .2) and get an SSL cert mismatch error.

Now, regarding the user group, can I assume you did this:

tunnel-group cos webvpn-attributes
group-url https://anycon1.test.com/cos enable

You'll need that so that the previously mentioned HTTPS attempt works.
or if you stick with the IP address:

tunnel-group cos webvpn-attributes
group-url https://65.2.2.1/cos enable
jickfoo Mon, 05/24/2010 - 13:11

yes, what kills me is I am trying put

anycon.test.com    (thats the cluser ip)

into the AnyConnect client and it tells me 'invalid host enty, please re-enter'

sjbdallas Mon, 05/24/2010 - 13:18

If you don't have valid DNS names then I guess you'd have to do IP addresses for all the configs and .xml settings.

If you didn't do that setting to enable the group url then that could be part of the address error you're seeing.

jickfoo Mon, 05/24/2010 - 15:35

I have valid dns names. I have a case open. It would be good to see a working example. Im trying to get that now.

I dont know why it doesnt work but I'm thinking of reverting to good old DNS Round Robin. I know that will work.

Thanks for your help, If you have any other ideas let me know.

Justin

Actions

This Discussion