×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cisco AnyConnect and ASA 5525-X failover cluster - connection lost after failover

Unanswered Question
Dec 18th, 2013
User Badges:

Dear engineers,


I set up a Cisco 5525-X failover cluster with ASA 9.1(4) for a customer which worked flawlessly. The customer also ordered SSLVPN connectivity via AnyConnect client. The login on either box (whichever is primary at this moment) is successful.


The problem appears during and after failover. I thought that the ASA is able to keep the SSLVPN client connections active and that they move to the failover peer because the log entry on the standby unit looks like this.


Dec 18 2013 11:24:09: %ASA-6-721016: (WebVPN-Secondary) WebVPN session for client user test, IP 199.199.199.200 has been created.


When the client is connected to the primary active unit and I provoke a failover trough disconnecting the LAN or INTERNET link, the failover takes place but the AnyConnect client loses the connection and the user has to reestablish the connection manually.


Primary Unit:

failover

failover lan unit primary

failover lan interface FAILOVER GigabitEthernet0/7

failover mac address GigabitEthernet0/0 0200.0c07.ac00 0200.0c07.ac01

failover mac address GigabitEthernet0/1 0200.0c07.ac10 0200.0c07.ac11

failover mac address Management0/0 0200.0c07.ac80 0200.0c07.ac81

failover link FAILOVER GigabitEthernet0/7

failover interface ip FAILOVER 10.255.255.253 255.255.255.252 standby 10.255.255.254


Secondary Unit:

failover

failover lan unit secondary

failover lan interface FAILOVER GigabitEthernet0/7

failover mac address GigabitEthernet0/0 0200.0c07.ac00 0200.0c07.ac01

failover mac address GigabitEthernet0/1 0200.0c07.ac10 0200.0c07.ac11

failover mac address Management0/0 0200.0c07.ac80 0200.0c07.ac81

failover link FAILOVER GigabitEthernet0/7

failover interface ip FAILOVER 10.255.255.253 255.255.255.252 standby 10.255.255.254



setup.png



The ASA cluster has a 250 Premium User SSLVPN license and also an AnyConnect Mobile license.



Your inputs are really appreciated.

Thanks a lot

Florian

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
david contreras Fri, 06/13/2014 - 12:06
User Badges:

Try upgrading to 9.1.5.  This is a closed caveat on from 9.1.4.

CSCul84216
ASA - Remote access VPN sessions are not replicated to Standby unit

Actions

This Discussion