Forum Discussion

mzac's avatar
mzac
Icon for Nimbostratus rankNimbostratus
Oct 08, 2020

Matching Cisco Anyconnect TCP/UDP Traffic for DTLS to pool member

Since COVID hit, we had to scale up our Cisco ASA VPN infrastructure. We use Cisco Anyconnect and we are trying to get more clients to use DTLS (UDP 443) as it performs better for speed. The issue we are having is that since we have multiple ASA appliances in the backend, it is a hit or miss for the client to establish DTLS.

 

Basically, when a client authenticates, they authenticate on TCP 443. Then, the client tries to connect on UDP 443 and we need to find a way to get that UDP 443 packet to go to the same backend pool member.

 

We currently have two Virtual Servers, one for TCP and one for UDP.

 

Is there a way on the UDP Virtual Server to track the state/flow table and follow the TCP connection, maybe with an iRule?

 

Thanks

  • Hi, mzac. I'm not sure if you figured this one out already, but here is the solution for the record.

     

    Assuming the same pool members for both virtual servers and both virtual servers using the same virtual address, you can use the "Match Across Services" option in a Source Address persistence profile to meet your requirement. See https://support.f5.com/csp/article/K5837 for more details.

1 Reply

  • Hi, mzac. I'm not sure if you figured this one out already, but here is the solution for the record.

     

    Assuming the same pool members for both virtual servers and both virtual servers using the same virtual address, you can use the "Match Across Services" option in a Source Address persistence profile to meet your requirement. See https://support.f5.com/csp/article/K5837 for more details.