Forum Discussion

Subrun's avatar
Subrun
Icon for Cirrostratus rankCirrostratus
Nov 29, 2022

For AnyConnect RA Load Balancing which Module to Use GTM or LTM

For AnyConnect RA Load Balancing which Module to Use GTM or LTM. 

I have 2 RA VPN but they are at SAME Data Center. Should I use LTM or GTM  ?

Each AnyConnect VPN 2 different identity cert normally , but if we put F5 Infront of it , what cert will be installed at each AnyConnect Box ?

Plan to use F5 is using load balancing between 2 VPN

For example if 1st RA BOX name is - vpn1.company.com and 2nd one is vpn2.company.com , normally each VPN will have each individual Identity cert on them , but if we put F5 infront of both what cert we need to call from each VPN Config at AnyConnect level  ? 

application delivery
security

1 Reply

Sort By
  • Paulius's avatar
    Paulius
    Icon for MVP rankMVP
    Dec 07, 2022

    I would use the GTM to load balance your AnyConnect VPN connections but if you have an SSL certificate that is only valid on each RA device for one FQDN you will have an issue because typically the GTM setup is as follows.

    myvpn.company.com -> vpn1.company.com
    myvpn.company.com -> vpn2.company.com

    That myvpn.company.com response will change depending on your load balancing algorithm so each destination device will see the request as myvpn.company.com rather than vpn1 or vpn2.company.com so make sure your SSL cert covers both names if that is allowed. Aside from that I believe Cisco has a way of doing this on their own at the following link.

    https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/vpn/asa-99-vpn-config/vpn-ha.html#ID-2186-000003f0