Configure VPN Client Load Balance with DNS Round Robin on ASA

Available Languages

Download Options

  • PDF     (619.3 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (730.7 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (703.7 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:February 15, 2024
Document ID:221691

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure anyconnect vpn client load balance with DNS round robin on ASA. 

    Prerequisites

    Requirements

    Ensure that you meet these requirements before you attempt this configuration:

    • You have assigned IP addresses on your ASAs and configured the default gateway.
    • Anyconnect VPN is configured on the ASAs.
    • VPN users are able to connect to all ASAs with the use of their individually assigned IP address.
    • DNS server of VPN users is round robin capable.

    Components Used

    The information in this document is based on these software and hardware versions:

    • Anyconnect VPN Client Software Releases 4.10.08025
    • Cisco ASA Software Releases 9.18.2
    • Window Server 2019

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Configure

    Network Diagram

    Network DiagramNetwork Diagram

    Configurations

    Step 1. Configure Anyconnect VPN on ASA

    For how to configure anyconnect VPN on ASA, refer to this document:

    Here is the configuration of both ASAs in this example:

    ASA1:

    ip local pool anyconnect 10.4.0.100-10.4.0.200 mask 255.255.255.0

    interface GigabitEthernet0/0
     nameif outside
     security-level 0
     ip address 10.1.1.1 255.255.255.0 

    interface GigabitEthernet0/1
     nameif inside
     security-level 100
     ip address 192.168.1.1 255.255.255.0 

    route outside 0.0.0.0 0.0.0.0 10.1.1.2 1

    webvpn
     enable outside
     anyconnect enable
     tunnel-group-list enable

    group-policy anyconnect internal
    group-policy anyconnect attributes
     dns-server value 192.168.1.99
     vpn-tunnel-protocol ssl-client 
     default-domain value example.com

    username example1 password ***** 
    username example1 attributes
     vpn-group-policy anyconnect
     service-type remote-access

    tunnel-group anyconnect-tunnel-group type remote-access
    tunnel-group anyconnect-tunnel-group general-attributes
     address-pool anyconnect
     default-group-policy anyconnect
    tunnel-group anyconnect-tunnel-group webvpn-attributes
     group-alias example enable

    ASA2:

    ip local pool anyconnect 10.4.0.100-10.4.0.200 mask 255.255.255.0

    interface GigabitEthernet0/0
     nameif outside
     security-level 0
     ip address 10.2.1.1 255.255.255.0 

    interface GigabitEthernet0/1
     nameif inside
     security-level 100
     ip address 192.168.1.1 255.255.255.0 

    route outside 0.0.0.0 0.0.0.0 10.2.1.2 1

    webvpn
     enable outside
     anyconnect enable
     tunnel-group-list enable

    group-policy anyconnect internal
    group-policy anyconnect attributes
     dns-server value 192.168.1.99
     vpn-tunnel-protocol ssl-client 
     default-domain value example.com

    username example1 password ***** 
    username example1 attributes
     vpn-group-policy anyconnect
     service-type remote-access

    tunnel-group anyconnect-tunnel-group type remote-access
    tunnel-group anyconnect-tunnel-group general-attributes
     address-pool anyconnect
     default-group-policy anyconnect
    tunnel-group anyconnect-tunnel-group webvpn-attributes
     group-alias example enable

    You must be able to connect to both ASAs with the use of their individually assigned IP address before you move to step 2.

    Step 2. Configure Round Robin DNS on DNS Server

    You can use any round robin capble DNS server, in this example, DNS server on windows server 2019 is used. For how to install and configure DNS server on windows server, refer to this document:

    In this example, 10.3.1.4 is the windows server with DNS server enable for domain example.com.

    DNS ServerDNS Server

    Make sure round robin is enabled for your DNS server:

    1. From the Windows desktop, open the Start menu, select Administrative Tools > DNS.
    2. In the console tree, choose the DNS server you wish to manage, right-click, then select Properties.
    3. Under the tab Advanced, make sure Enable round robin is checked.

    Round Robin 1Round Robin 1Round Robin 2Round Robin 2

    Create two host records for ASA VPN servers:

    1. From the Windows desktop, open the Start menu, select Administrative Tools > DNS.
    2. In the console tree, connect to the DNS server you wish to manage, expand the DNS server, expand your Forward Lookup Zone, right-click, then select New Host (A or AAAA).
    3. On the New Host screen, specify the Name and IP address of the host record. In this example, vpn and 10.1.1.1.
    4. Select Add Host to create the record.

    Create New HostCreate New Host

    Host Record 1Host Record 1

    Repeat similar steps to create another host record and make sure Name is the same, in this example, Name is vpn, IP address is 10.2.1.1.

    Host Record 2Host Record 2

    You can find there are two hosts 10.1.1.1 and 10.2.1.1 associate to the same record vpn.example.com.

    Two Host RecordsTwo Host Records

    Verify

    Navigate to your client machine where the Cisco AnyConnect Secure Mobility client is installed, in this example Test-PC-1, verify your DNS server is 10.3.1.4.

    PC1 IP AddressPC1 IP Address

    note-icon

    Note: As a self-signed certificate is being used for the Gateway to identify itself, multiple certificate warnings can appear during the connection attempt. These are expected and must be accepted for the connection to continue. In order to avoid these certificate warnings, the self-signed certificate that is presented must be installed in the trusted certificate store of the client machine, or if a third-party certificate is being used then the Certificate Authority certificate must be in the trusted certificate store.

    Connect to your VPN headend vpn.example.com and enter the username and credentials.

    PC1 Anyconnect VPNPC1 Anyconnect VPN

    Click the gear icon (lower left corner) and navigate to the Statistics tab. Check in the Server Address section, in this example, this client connects to ASA1 (10.1.1.1).

    PC1 ConnectedPC1 ConnectedPC1 SatisticsPC1 Satistics

    Repeat similar steps for Test-PC-2. You can find the client connects to ASA2 (10.2.1.1), the two clients are load balance between two VPN headends.

    PC2 IP AddressPC2 IP AddressPC2 VPNPC2 VPNPC2 StatisticsPC2 Statistics

    Troubleshoot

    This section provides information you can use in order to troubleshoot your configuration.

    warning-icon

    Warning: On the ASA, you can set various debug levels; by default, level 1 is used. If you change the debug level, the verbosity of the debugs increase. Do this with caution, especially in production environments.

    You can enable debug to diagnostic VPN connection on ASA.

    • debug webvpn anyconnect  - Displays debug messages about connections to Anyconnect VPN clients.

    Refer to this document in order to troubleshoot common issues found on the client side.

    Revision History

    Revision Publish Date Comments
    1.0
    15-Feb-2024
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Chao Feng

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products