Matching Cisco Anyconnect TCP/UDP Traffic for DTLS to pool member

Question

Since COVID hit, we had to scale up our Cisco ASA VPN infrastructure. We use Cisco Anyconnect and we are trying to get more clients to use DTLS (UDP 443) as it performs better for speed. The issue we are having is that since we have multiple ASA appliances in the backend, it is a hit or miss for the client to establish DTLS.

Basically, when a client authenticates, they authenticate on TCP 443. Then, the client tries to connect on UDP 443 and we need to find a way to get that UDP 443 packet to go to the same backend pool member.

We currently have two Virtual Servers, one for TCP and one for UDP.

Is there a way on the UDP Virtual Server to track the state/flow table and follow the TCP connection, maybe with an iRule?

Thanks

jason_chiu · Accepted Answer

Hi, mzac. I'm not sure if you figured this one out already, but here is the solution for the record.

Assuming the same pool members for both virtual servers and both virtual servers using the same virtual address, you can use the "Match Across Services" option in a Source Address persistence profile to meet your requirement. See https://support.f5.com/csp/article/K5837 for more details.

Forum Discussion

Matching Cisco Anyconnect TCP/UDP Traffic for DTLS to pool member

Recent Discussions

Management IP F5 cant be accessed

ASD

Big-IP VE edition for MacBook M4 Chip

301 redirect and waf policy log problem

Background Tasks

Related Content

UDP TCP Packet Duplication

UDP DNS listener doesn't resolve DNS query but TCP DNS listener can

BIGIP unable to send tcp/udp packets to syslog servers

Re: How to Split DNS with Managed Namespace on F5 Distributed Cloud (XC) Part 2 – TCP & UDP

BIG-IP / Virtual Server for UDP & TCP DNS Loadbalancing / extracting client IPs

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS