Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Anyconnect optimized gateway selection question

Hello,

I am in the process of evaluating Cisco Anyconnect VPN for my company. Can anyone please let me know what will happen to the client if optimized selected gateway is full?

Thanks,

Deepak

Everyone's tags (4)
2 ACCEPTED SOLUTIONS

Accepted Solutions

Re:Anyconnect optimized gateway selection question

Hi,

With Optimal Gateway Selection the first time AC runs on the machine checks the RTT response from each server / gateway configured in the XML file and will use the one with the lowest value as the primary gateway.

These results will be cached by the client, so in case the primary gateway fails or becomes somehow unresponsive, the AC will automatically use the second gateway in the list.

Since the AC clients performs the gateway evaluation only one time, it is recommended to test it from a stable connection.

More information:

AnyConnect Optimal Gateway Selection Operation

Please let me know if this answers your question.

Thanx.

Portu

New Member

Re: Anyconnect optimized gateway selection question

Deepak,

I think I know what you are asking because I ran into this.  If the gateway is available, running, and working but, for some reason you cannot connect, anyconnect will not try the backup list.  Some examples where the gateway is reachable but might not connect might be you run out of licenses, DAP policies are denying you, gateway misconfigure, gateway hung etc.  In this case, I don't think AnyConnect will attempt to connect to the backup list unless something changed in recent AnyConnect or the ASA codes.  In the scenarios I mention, I guess Cisco assumes since you hit a gateway, you're fine regardless of whether it fails or not.  I know because I had this issue a while back with our load balancing gateways.  One gateway was in a hung state where it was still reachable but would never complete new tunnels.  Load balancing kept sending new users to the 'bad' gateway, start connecting, error out, never connect.  User tries again to the load balancer, error out. Rinse and repeat.  Meanwhile the 'good' gateway was available, was listed individually in the backup list but anyconnect never attempted a connection since the 'bad' gateway was reachable.

I hope this helps.  I submitted an enhancement request to Cisco regarding this behavior which asked for anyconnect to try every server in the backup list if a tunnel is not established for any reason.  I don't know if that went anywhere though.

12 REPLIES

Re:Anyconnect optimized gateway selection question

Hi,

With Optimal Gateway Selection the first time AC runs on the machine checks the RTT response from each server / gateway configured in the XML file and will use the one with the lowest value as the primary gateway.

These results will be cached by the client, so in case the primary gateway fails or becomes somehow unresponsive, the AC will automatically use the second gateway in the list.

Since the AC clients performs the gateway evaluation only one time, it is recommended to test it from a stable connection.

More information:

AnyConnect Optimal Gateway Selection Operation

Please let me know if this answers your question.

Thanx.

Portu

New Member

Re:Anyconnect optimized gateway selection question

good one.. I will come up with more if I have any...

Re:Anyconnect optimized gateway selection question

Good news

Have a good one.

New Member

Re: Anyconnect optimized gateway selection question

Javier,

Will the OGS work or fallback to the 2nd best gateway if users have PAC (Proxy auto-config) files configured?

Also if the OGS is full that doesn't necessarily mean that it is unresponsive. It should still reply to the client but unable to offer the service so is there any integrated mechanism that primary OGS will redirect client to the next best gateway

Thanks,

Deepak

Re: Anyconnect optimized gateway selection question

Hi Deepak,

What you mean by "Full"? This is not VPN load-balancing.

AnyConnect will fallback to the next OG if the current gateway does not respond.

It will only work after a new client connection attempt.

Let me know.

New Member

Re: Anyconnect optimized gateway selection question

Thanks again Javier.

Will the failover still work if users have PAC (proxy auto-config) files configured?

-Deepak

Re: Anyconnect optimized gateway selection question

You are welcome!

I dont see any reason why it wouldn't

New Member

Re: Anyconnect optimized gateway selection question

Deepak,

I think I know what you are asking because I ran into this.  If the gateway is available, running, and working but, for some reason you cannot connect, anyconnect will not try the backup list.  Some examples where the gateway is reachable but might not connect might be you run out of licenses, DAP policies are denying you, gateway misconfigure, gateway hung etc.  In this case, I don't think AnyConnect will attempt to connect to the backup list unless something changed in recent AnyConnect or the ASA codes.  In the scenarios I mention, I guess Cisco assumes since you hit a gateway, you're fine regardless of whether it fails or not.  I know because I had this issue a while back with our load balancing gateways.  One gateway was in a hung state where it was still reachable but would never complete new tunnels.  Load balancing kept sending new users to the 'bad' gateway, start connecting, error out, never connect.  User tries again to the load balancer, error out. Rinse and repeat.  Meanwhile the 'good' gateway was available, was listed individually in the backup list but anyconnect never attempted a connection since the 'bad' gateway was reachable.

I hope this helps.  I submitted an enhancement request to Cisco regarding this behavior which asked for anyconnect to try every server in the backup list if a tunnel is not established for any reason.  I don't know if that went anywhere though.

New Member

Re: Anyconnect optimized gateway selection question

Tom,

This is another great explanation. That's what I am worried about. Well is it possible you can help me with the case or tkt# for the enhancement request with Cisco so that I will try to follow up and get more information on this?

Thanks,

Deepak

Re:Anyconnect optimized gateway selection question

Deepak,

As mentioned by bravotom99 (5 stars) the AnyConnect will only detect a failure at a networking level. In other words, if the server does not respond to a connectivity test.

It is true that if your server is running out of licenses or if misconfigured, the AnyConnect will not try with the next server, since the primary one seems to be alive.

I am not in the office today, but please send me a private message tomorrow and I will check for any enhancement request.

On the other hand, if bravotom99 could send me the enhancement request in a Private message, that would help me a lot.

Thanks.

Please rate any helpful posts

New Member

Re:Anyconnect optimized gateway selection question

Hi to all,

AC doesn't auto-select next gateway in server-list... Why?

________________________

"profile.xml" in attached file

New Member

Re:Anyconnect optimized gateway selection question

After remove group-url from server-list, there was only FQDN of VPN gateways, then OGS works fine!

1353
Views
5
Helpful
12
Replies