cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9200
Views
0
Helpful
14
Replies

AnyConnect Backup Server List (not working)

johng231
Level 3
Level 3

Hello -

We are trying to get the backup server list to work when a remote anyconnect user loses connectivity on the primary connection. Currently, it is getting stuck on trying to reconnect to the primary, rather than going to the next available one in the backup server list.

However, it works if you manually disconnect the connection then re reconnect, it will first try the primary then it will go to the backup and successfully connect.

Is this the expected behavior?

version 9.0(3)

Anyconnect 3.1.04072

webvpn

  anyconnect ssl keepalive 20

  anyconnect dpd-interval client 5

  anyconnect dpd-interval gateway 30

14 Replies 14

We are having the same issue.  Did you ever get this worked out?  Here is an excerpt from the CCNP Security VPN book that supports what we want it to do.

"In addition to trying one of the configured backup servers if the primary ASA is unavailable when establishing a new VPN session, the AnyConnect client uses dead peer detection (DPD) to detect when an ASA becomes unavailable during an established VPN connection. DPD is a keepalive mechanism that sends DPD_R_U_THERE packets to the ASA after a defined period of inactivity (default 30 seconds). After the AnyConnect client sends its first DPD_R_U_THERE packet, it expects a DPD_R_U_THERE_ACK back from the ASA. If the AnyConnect client does not receive an ACK from the ASA, it continues to send DPD_R_U_THERE packets until three have been sent. If at this point the AnyConnect client still has not received a response from the ASA, it tears down the connection and attempts to open a connection to the next available server configured in the Backup Servers list."

 

Lance E.

It sounds as though you expect the VPN client to automatically connect to the server in the backup server list?  If so that is not the case and it is also stated in the output you posted @Lance.  It is during a new connection establishment that it will time out and try the backup servers if the primary is not available.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Yes, this seems to be the behavior...and it's annoying.  You should be able to set any auto reconnect limit timer and retry timer, once that expires it should auto connect to the backup server....would be much more affective as a feature, especially where we have geographic ASAs and don't have any other need for global redirection.

It seems from CCNP Security book that this should be the behavior...maybe the key is to disable auto reconnect.  Although...you would think these two features (DPD and Auto Reconnect) would be complimentary.  I think we need Cisco to chime in here with a clarification.  It seems Auto Reconnect is simply too sticky and keeps you hung on the primary headend.

Sorry for late reply as I have been away for a few weeks.

Do you require further assistance with this issue?

--

Pease remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts

This is still not working for us. There has been several times where the primary internet connections goes down. The backup VPN server in the list never gets contacted. So when a user tries to connect to the primary server, it never rolls over during the trying to establish phase.  The user is first trying to connect to the primary server when the internet is down, some of them have not established the connection when the primary internet is up. Is it only meant to work when you are in an established connection then it rolls over? It should also work on new attempts. I will try this when they upgrade their firewall to version 9.1.5.  

Now I am a little confused.  In your original post you say that if you disconnect and then reconnect it works...but now you are saying that when the user tries to connect to the primary it doesn't roll over to the secondary?

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts

What users were telling me is that they couldn't establish a connection to the backup server when using their local Anyconnect profile to their main office, it wouldn't roll over to the backup office. So they were force to change the profile to use the backup one manually. A lot of the users doesn't have the backup profile in their profile list. We can't easily push this out to them so we have to rely in the backup server list to establish the connection for them for the first time and download the backup profile. 

We'll test with version the latest version 9.1.5 and see if it works better. 

We are running 9.1.4 and this is our experience.  In the AnyConnect Client Profile section we have set our backup server list and have turned "Auto Reconnect" off.

 

When NOT connected and the primary fails.

AnyConnect for laptops and desktop tries the primary and then ultimately connects to the secondary within a very reasonable amount of time (10 seconds).

AnyConnect for phones and tablets (Android or IOS) takes 45 seconds before successfully connecting to the secondary.

 

When CONNECTED and the primary fails

AnyConnect for laptops and desktops after about ~15 seconds, the user receives an error that there was connection problems and they should attempt to reconnect.  The AnyConnect client then behaves as described in the "when not connected and the primary fails" above.

AnyConnect for phones and tablets (Android and IOS) after ~15 seconds goes into a "reconnecting" state and will stay there for 5-10 minutes….that's as long as i've given it anyway before force quitting the app.  Upon attempting to reconnect I then wait the 45 seconds as described in the "when NOT connected and the primary fails" section.

@Lance - that is the behavior I would expect with regards to the backup server list.  If you want the users to automatically failover to the secondary VPN server you would need to set up an Active/Standby failover, or cluster type environment.

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts

I think right now what I want is for the tablet and phone AnyConnect client to behave like the laptop and desktop AnyConnect client.  I.E. don't try to auto reconnect when the primary fails, inform the user that  they need to attempt to reconnect, upon reconnect be able to establish a connection on the secondary in 10-15 seconds.

 

 

I noticed in an active/standby setup, the profile doesn't get replicated when created on the active firewall, you have to manually export it and import it to the other fw. Every time you modify the xml profile, do I have to keep doing this??? This also goes the same for the anyconnect images. Not a good way to manage them when you have a failover setup. 

 

Matthew Hall
Level 4
Level 4

Active/Standby or clustering isn't an option if you have geographic disparity between your HA sites. I'm not really sure why the code isn't written to use the secondary gateway on auto-reconnect.  I'm sure there may be some problem with any connect that prevents them from using it...but it seems somewhat trivial to me.  Is there a location to put in a feature request for ASA code? 

To make a feature request you would need to go through a Cisco partner.  So if you are not a Cisco partner yourself, you would need to contact your local Cisco partner and have them issue the feature request to Cisco on your behalf.

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts

james_flockton
Level 1
Level 1

This issue is resolved now as long as you have reconnect enabled on the Primary, the XML on the client then re-connects, we have this in a production lab and it works as you describe, you just need to make sure the XML is as follows for backup;

<ServerList>
        <HostEntry>
            <HostName>Mobile access</HostName>
            <HostAddress>PRIMARY IP/FQDN</HostAddress>
            <BackupServerList>
                <HostAddress>SECONDARY IP/FQDN</HostAddress>
            </BackupServerList>
            <MobileHostEntryInfo>
                <NetworkRoaming>true</NetworkRoaming>
                <CertificatePolicy>Auto</CertificatePolicy>
                <ConnectOnDemand>false</ConnectOnDemand>
                <ActivateOnImport>false</ActivateOnImport>
            </MobileHostEntryInfo>
        </HostEntry>
    </ServerList>

I also added;

        <AutoReconnect UserControllable="true">true
            <AutoReconnectBehavior UserControllable="true">ReconnectAfterResume</AutoReconnectBehavior>
        </AutoReconnect>

 

nb: Just out of interest, when your Primary comes back online, does it auto reconnect to that or do you have to select that as well from the server list?

 

Thanks, James

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: