Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

AnyConnect Client Profile Backup Server Configuration

I'm trying to understand the use of Backup Server option in AnyConnect Client Profile

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile > Edit > Backup Server

(Screenshot attached)

backup_servers.JPG

My questions:

1. In what all scenarios do we add servers (ASA devices) in this tab

2. If I have same information in two different locations (Site A and Site B) for AnyConnect user, can I add Site A-ASA and Site B-ASA into Backup Server tab as a failover mechanism for end user.

3. Or is it only used to mention ASA devices configured in failover unit

4. In case of failover unit, does it support stateful failover

I could not find answers to above questions from Google search. So, asking here

4 REPLIES
swj Cisco Employee
Cisco Employee

Yes you can use as Failover

Yes you can use as Failover Mechanism.

Please check the same which is documented.

 

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/anyconnectadmin30/ac03vpn.html#pgfId-1455959

 

Bronze

Hi SWJ,Do you know if the

Hi SWJ,

Do you know if the backup server configuration also works for IP Phones using anyconnect to connect to an ASA?

If I create the profile, is it going to be pushed to the phones after the first time they connect and they will keep it as a backup option?

 

Thank you,

Hall of Fame Super Silver

I think we need to be careful

I think we need to be careful when we talk about failover. The original post was clearly asking about two different scenarios

1) ASAs at two different sites

2) ASAs configured as a High Availability failover pair (Active/Standby).

 

The profile does work to provide failover in 1) but does not work to provide failover in 2).

 

I do not know the authoritative answer to the question about IP phones use of the profile. I believe that the answer ought to be that yes the phone would receive the profile after its first connection and would use the backup server identified in the profile is the primary server was not available. That is a basic functionality of the AnyConnect client and if the phone is using the AnyConnect client then it ought to support that failover. 

 

If someone does have an authoritative answer then please speak up. Several of us would like to know the right answer here.

 

HTH

 

Rick

New Member

If my experience IOS (IPhone)

If my experience IOS (IPhone), Linux, Windows, MACOS with AnyConnect can all use the backup server entries in the AnyConnect profile.  This is usually used when you have two data centers at diverse locations.  Looks something like this inside the profile:

<HostName>hunkydory.aixrs.local</HostName>
                        <HostAddress>hunkydory.aixrs.local</HostAddress>
                        <BackupServerList>
                                <HostAddress>dornfest.aixrs.local</HostAddress>
                        </BackupServerList>
                        <PrimaryProtocol>IPsec</PrimaryProtocol>

 

Failover for the ASA when using AnyConnect does not require the use of "backup servers" in the AnyConnect profile.  AnyConnect connections will failover instantly.  This would be for ASA devices located in the same location where failover has been configured between device. 

For option 1 the failover is in the client.

For option 2 the failover is in the ASA.

 

I see no reason that you could not use both, but you would need two sets of ASA's with different host names.  Either located local or diverse.

 

1576
Views
0
Helpful
4
Replies