This post will focus on providing the specifics around configuring GSLB for Cisco AnyConnect Mobility Client connections and will not focus on the basic of GSLB or how to configure AnyConnect VPN. Carl Stalhood has a great article on configuring NetScalers for GSLB.

Requirements

  • Distribute AnyConnect VPN traffic between two active/active datacentres.
  • Ensure AnyConnect VPN service availability in case of Internet/network issues at either datacentre.

Prerequisites

  • GSLB is enabled on the NetScalers.
  • ADNS configuration on the NetScalers.
  • DNS delegation for a GSLB (ie gslb.nzsystems.com) has been configured.

The configuration below needs to be completed on NetScalers at both sites.

1. GSLB Sites and MEP

I ensured MEP between NetScalers at the two datacentres was routed via the Internet. This provided the benefit of not needing to bind explicit monitors to remote GSLB services to check that the Internet at the remote site hasn’t gone down. If MEP drops, the remote GSLB service will be marked as down.

add gslb site jupiter 192.168.190.10 -publicIP 1.1.1.1
add gslb site saturn 192.168.189.10 -publicIP 2.2.2.2

Depending on the stability of the Internet connections at the two sites, it might be worth increasing the MEP Time Delay to prevent network ‘blips’ (MEP drops) from marking remote services as DOWN prematurely. The following command sets the MEP Time Delay to 10 seconds.

set gslb parameter -GSLBSvcStateDelayTime 10

2. Create GSLB Services

Each site is configured with two services, one for each DC. The IP addresses need to be the IP addresses on which AnyConnect is reachable externally.

add server srv-jupiter-vpn 1.1.1.1
add server srv-saturn-vpn 2.2.2.2
add gslb service gslbsvc-jupiter-vpn srv-jupiter-vpn SSL 443 -publicIP 1.1.1.1 -publicPort 443 -maxClient 0 -siteName jupiter -cltTimeout 180 -svrTimeout 360 -downStateFlush ENABLED
add gslb service gslbsvc-saturn-vpn srv-saturn-vpn SSL 443 -publicIP 2.2.2.2 -publicPort 443 -maxClient 0 -siteName saturn -cltTimeout 180 -svrTimeout 360 -downStateFlush ENABLED

3. GSLB Service Monitors

Not outlined in the code snippets but a sensible monitor should be bound to each local GSLB service. In my case I monitored the core switch’s IP in the respective datacentre.

Alternatively you could monitor the ASA/AnyConnect host or a local authentication source.

4. Create GSLB Virtual Servers

Least Connections is used as the load balancing method and SourceIP for persistency.

add gslb vserver gslbvs-vpn SSL -backupLBMethod ROUNDROBIN -tolerance 0 -persistenceType SOURCEIP -persistenceId 10 -timeout 480 -ECS ENABLED
bind gslb vserver gslbvs-vpn -serviceName gslbsvc-jupiter-vpn
bind gslb vserver gslbvs-vpn -serviceName gslbsvc-saturn-vpn
bind gslb vserver gslbvs-vpn -domainName vpn.gslb.nzsystems.com -TTL 5

5. AnyConnect Considerations

As with any GSLB services, make sure AnyConnect is configured identically at both sites so users get the same experience regardless of which DC they connect to. Don’t forget to configure the same group aliases and URLs at both DCs.

Conclusion

My main concern was around SourceIP persistency and clients being potentially disconnected as their DNS cache expired, but in practice this was not a problem.

The distribution across DCs was not perfect but I didn’t expect it to be with SourceIP (client’s DNS server) persistency.