This post will focus on providing the specifics around configuring GSLB for Cisco AnyConnect Mobility Client connections and will not focus on the basic of GSLB or how to configure AnyConnect VPN. Carl Stalhood has a great article on configuring NetScalers for GSLB.
- Distribute AnyConnect VPN traffic between two active/active datacentres.
- Ensure AnyConnect VPN service availability in case of Internet/network issues at either datacentre.
- GSLB is enabled on the NetScalers.
- ADNS configuration on the NetScalers.
- DNS delegation for a GSLB (ie gslb.nzsystems.com) has been configured.
The configuration below needs to be completed on NetScalers at both sites.
1. GSLB Sites and MEP
I ensured MEP between NetScalers at the two datacentres was routed via the Internet. This provided the benefit of not needing to bind explicit monitors to remote GSLB services to check that the Internet at the remote site hasn’t gone down. If MEP drops, the remote GSLB service will be marked as down.
add gslb site jupiter 192.168.190.10 -publicIP 22.214.171.124 add gslb site saturn 192.168.189.10 -publicIP 126.96.36.199
Depending on the stability of the Internet connections at the two sites, it might be worth increasing the MEP Time Delay to prevent network ‘blips’ (MEP drops) from marking remote services as DOWN prematurely. The following command sets the MEP Time Delay to 10 seconds.
set gslb parameter -GSLBSvcStateDelayTime 10
2. Create GSLB Services
Each site is configured with two services, one for each DC. The IP addresses need to be the IP addresses on which AnyConnect is reachable externally.
add server srv-jupiter-vpn 188.8.131.52 add server srv-saturn-vpn 184.108.40.206
add gslb service gslbsvc-jupiter-vpn srv-jupiter-vpn SSL 443 -publicIP 220.127.116.11 -publicPort 443 -maxClient 0 -siteName jupiter -cltTimeout 180 -svrTimeout 360 -downStateFlush ENABLED add gslb service gslbsvc-saturn-vpn srv-saturn-vpn SSL 443 -publicIP 18.104.22.168 -publicPort 443 -maxClient 0 -siteName saturn -cltTimeout 180 -svrTimeout 360 -downStateFlush ENABLED
3. GSLB Service Monitors
Not outlined in the code snippets but a sensible monitor should be bound to each local GSLB service. In my case I monitored the core switch’s IP in the respective datacentre.
Alternatively you could monitor the ASA/AnyConnect host or a local authentication source.
4. Create GSLB Virtual Servers
Least Connections is used as the load balancing method and SourceIP for persistency.
add gslb vserver gslbvs-vpn SSL -backupLBMethod ROUNDROBIN -tolerance 0 -persistenceType SOURCEIP -persistenceId 10 -timeout 480 -ECS ENABLED
bind gslb vserver gslbvs-vpn -serviceName gslbsvc-jupiter-vpn bind gslb vserver gslbvs-vpn -serviceName gslbsvc-saturn-vpn bind gslb vserver gslbvs-vpn -domainName vpn.gslb.nzsystems.com -TTL 5
5. AnyConnect Considerations
As with any GSLB services, make sure AnyConnect is configured identically at both sites so users get the same experience regardless of which DC they connect to. Don’t forget to configure the same group aliases and URLs at both DCs.
My main concern was around SourceIP persistency and clients being potentially disconnected as their DNS cache expired, but in practice this was not a problem.
The distribution across DCs was not perfect but I didn’t expect it to be with SourceIP (client’s DNS server) persistency.