Meraki

Community

Setup AnyConnect to use both WAN1 and WAN2

Phil_SCDS
Getting noticed
‎Jun 20 2024 2:29 AM
‎Jun 20 2024 2:29 AM

Setup AnyConnect to use both WAN1 and WAN2

Hi all,

 

Here is our scenario:

 

We have an MX84 with AnyConnect configured to use the DDNS name of our router. This then forwards the SAML request to our Azure instance to authenticate users. This all works fine. However, we have fairly unreliable internet where we are and I would like to configure the AnyConnect client to use both WAN1 and WAN2 (one as a backup address) so that should WAN1 go down users will be able to reconnect on WAN2 (they are different ISPs using different infrastructure).

 

Lets say the DDNS name for the router is:

 

Site-1-abcde.dynamic-m.com

 

This gives a WAN1 DDNS of:

 

Site-1-abcde-1.dynamic-m.com

 

and a WAN2 DDNS of:

 

Site-1-abcde-2.dynamic-m.com

 

These two additional addresses resolve with an nslookup to the correct IP addresses for the 2 interfaces.

 

I have tried adding them as additional Identifiers (Entity IDs) in Azure but it seems like the request is never reaching Azure when I use one of the additional addresses.

 

My hypothesis is that I am lacking something within Meraki to tell it to forward the request to Azure when the request is using anything other than the primary DDNS address. This might be in this section on the AnyConnect Setting page:

 

Phil_SCDS_0-1718875512333.png

And if I am right it doesn't look like it allows for multiple addresses.

 

However I have also tested changing this to one of the secondary DDNS addresses like Site-1-abcde-1.dynamic-m.com and then tried to connect via that and it still doesn't work so maybe I am missing something.

 

Has anyone managed to get AnyConnect to work using both interfaces, and is it even possible?

 

Thanks in advance,

 

Phil

Labels:
0 Kudos
9 Replies 9
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 20 2024 4:37 AM
‎Jun 20 2024 4:37 AM

If you have both WANs activated, the VPN client will only work for the WAN that you have configured as primary, not for both at the same time.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
Phil_SCDS
Getting noticed
‎Jun 20 2024 4:45 AM
‎Jun 20 2024 4:45 AM

Hi Alemabrahao,

 

Thanks for this. I don't need them working at the same time I need it for backup purposes. So should our WAN1 connection fail VPN connections can then be made via the WAN2 interface. Is this possible? I have been in contact with Meraki support over it and they seem to think it is possible but have thus far only provided me with generic setup instructions for AnyConnect.

0 Kudos
In response to Phil_SCDS
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 20 2024 4:55 AM
‎Jun 20 2024 4:55 AM

Yes it is, because in case of failure, the working WAN will take over.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 20 2024 4:38 AM
‎Jun 20 2024 4:38 AM

alemabrahao_0-1718883513051.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
rhbirkelund
Kind of a big deal
Kind of a big deal
‎Jun 20 2024 4:40 AM
‎Jun 20 2024 4:40 AM

You should be able to use either WAN interface for Anyconnect, as both will respond to AnyConnect.

In regards to the SAML configuration, the Server URL needs to fit with what is configured on Azure. So If you configure AnyConnect and Azure SAML, with the DDNS url of WAN1, you can't just change the AnyConnect Server URL on the Dashboard to WAN2. Then you'll need to update the configuration on Azure.

 

THat being said, you should be able to simply use the "global" DDNS url (the one without -1 or -2) and you should still have radundant AnyConnect. If WAN1 goes down, the DDNS url, should (if I remember correctly) update to the WAN2 address. The expected TTL for DDNS to update is about 10 minutes.

 

So if you perform a test with unplugging your WAN1 interface, about 10 minutes later, a dns lookup on the DDNS address should resolve to your WAN2 interface.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
In response to rhbirkelund
Phil_SCDS
Getting noticed
‎Jun 20 2024 4:46 AM
‎Jun 20 2024 4:46 AM

Hi rhbirkelund,

 

From my experience it simple does not fail over. I cannot say for certain if I have waited the full 10 minutes but even if that is correct it is not a very useful failover as that it too much down time.

0 Kudos
In response to Phil_SCDS
rhbirkelund
Kind of a big deal
Kind of a big deal
‎Jun 20 2024 4:58 AM
‎Jun 20 2024 4:58 AM

Did you verify that DDNS updated to WAN2 interface with a NS lookup? It could simply be that the dns hadsn't been replicated through DNS yet.

 

But yes - 10+ minute failover time isn't that much useful. Unfortunately, this is the implementation of AnyConnect that Meraki has done. In the end this seems to be more a matter of Internet connection reliability, than the Anyconnect implementation. If you have a more reliable connection on WAN2, could it be an option to use this a the Primary interface instead?

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
In response to Phil_SCDS
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 20 2024 5:19 AM
‎Jun 20 2024 5:19 AM

One question, when you are testing Failover, are you disconnecting the VPN Client to try to connect again or are you simply disconnecting and waiting for it to work again?
 
If it's the second question, it won't work. You must disconnect from the VPN and reconnect for it to work.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 20 2024 3:40 PM
‎Jun 20 2024 3:40 PM

Only use the Site-1-abcde.dynamic-m.com DNS name in your SAML config.

 

Once WAN1 has failed it can take up to 10 minutes (average of 5 minutes) for the DDNS to update and then clients will be able to re-connect via WAN2.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.