Cisco AnyConnect VPN to Cisco ASA via Balance 30 Pro

#1

Found a couple of older posts without any specific config recommendations that seemed appropriate for my situation. Was hoping to get some feedback on how to best accommodate my setup.

I just acquired the Balance 30 Pro and started load balancing 3 WANs in a home office situation. When connecting to my remote ASA firewall via Windows 10 I had previously been using Cisco AnyConnect without issue. Now, with the 3 WAN connections, AnyConnect keeps dropping and reconnecting every few seconds and therefore not maintaining a session. I assume this is because of the load balancing.

Any guidance on how to keep this VPN session persistent would be appreciated.

Thanks,

Eric

1 Like
#2

How do you have outbound policy rules configured in the Balance 30 Pro?

2 Likes
#3

At the moment it is set at default. I tried some HTTPS Persistence with no luck. I thought maybe I would have to create a custom rule here.

#4

You can configure an outbound policy rule using either the source or destination IP address to solve this. Alternatively you can configure separate outbound policy rules for these Cisco AnyConnect ports:

TLS (SSL) TCP 443
SSL Redirection TCP 80
DTLS UDP 443
IPsec/IKEv2 UDP 500, UDP 4500

The priority algorithm works well for this scenario as you can put the preferred WAN on top for these outbound sessions, having them all fail over in the same order.

2 Likes
#5

Thank you Ron. Here is what I attempted with no success. VPN does connect. However, continues to drop and retry.

1 Like
#6

Under: Network> Misc. Settings> Service Passthrough Support - disable IPsec NAT-T. This setting is enabled by default for client VPN users and easy out of the box configuration. The setting will override the outbound policy rules for UDP 500/4500. Try this and then see if these sessions are all going out the ATT Cellular WAN under: Status> Active Sessions.

2 Likes