Hi all,
Here is our scenario:
We have an MX84 with AnyConnect configured to use the DDNS name of our router. This then forwards the SAML request to our Azure instance to authenticate users. This all works fine. However, we have fairly unreliable internet where we are and I would like to configure the AnyConnect client to use both WAN1 and WAN2 (one as a backup address) so that should WAN1 go down users will be able to reconnect on WAN2 (they are different ISPs using different infrastructure).
Lets say the DDNS name for the router is:
Site-1-abcde.dynamic-m.com
This gives a WAN1 DDNS of:
Site-1-abcde-1.dynamic-m.com
and a WAN2 DDNS of:
Site-1-abcde-2.dynamic-m.com
These two additional addresses resolve with an nslookup to the correct IP addresses for the 2 interfaces.
I have tried adding them as additional Identifiers (Entity IDs) in Azure but it seems like the request is never reaching Azure when I use one of the additional addresses.
My hypothesis is that I am lacking something within Meraki to tell it to forward the request to Azure when the request is using anything other than the primary DDNS address. This might be in this section on the AnyConnect Setting page:
And if I am right it doesn't look like it allows for multiple addresses.
However I have also tested changing this to one of the secondary DDNS addresses like Site-1-abcde-1.dynamic-m.com and then tried to connect via that and it still doesn't work so maybe I am missing something.
Has anyone managed to get AnyConnect to work using both interfaces, and is it even possible?
Thanks in advance,
Phil
If you have both WANs activated, the VPN client will only work for the WAN that you have configured as primary, not for both at the same time.
Hi Alemabrahao,
Thanks for this. I don't need them working at the same time I need it for backup purposes. So should our WAN1 connection fail VPN connections can then be made via the WAN2 interface. Is this possible? I have been in contact with Meraki support over it and they seem to think it is possible but have thus far only provided me with generic setup instructions for AnyConnect.
Yes it is, because in case of failure, the working WAN will take over.
You should be able to use either WAN interface for Anyconnect, as both will respond to AnyConnect.
In regards to the SAML configuration, the Server URL needs to fit with what is configured on Azure. So If you configure AnyConnect and Azure SAML, with the DDNS url of WAN1, you can't just change the AnyConnect Server URL on the Dashboard to WAN2. Then you'll need to update the configuration on Azure.
THat being said, you should be able to simply use the "global" DDNS url (the one without -1 or -2) and you should still have radundant AnyConnect. If WAN1 goes down, the DDNS url, should (if I remember correctly) update to the WAN2 address. The expected TTL for DDNS to update is about 10 minutes.
So if you perform a test with unplugging your WAN1 interface, about 10 minutes later, a dns lookup on the DDNS address should resolve to your WAN2 interface.
Hi rhbirkelund,
From my experience it simple does not fail over. I cannot say for certain if I have waited the full 10 minutes but even if that is correct it is not a very useful failover as that it too much down time.
Did you verify that DDNS updated to WAN2 interface with a NS lookup? It could simply be that the dns hadsn't been replicated through DNS yet.
But yes - 10+ minute failover time isn't that much useful. Unfortunately, this is the implementation of AnyConnect that Meraki has done. In the end this seems to be more a matter of Internet connection reliability, than the Anyconnect implementation. If you have a more reliable connection on WAN2, could it be an option to use this a the Primary interface instead?
Only use the Site-1-abcde.dynamic-m.com DNS name in your SAML config.
Once WAN1 has failed it can take up to 10 minutes (average of 5 minutes) for the DDNS to update and then clients will be able to re-connect via WAN2.