I have an ASA configured with dual ISP using two Interfaces and tracking/monitoring.
The primary ISP is configured on the outside Interface, and the secondary ISP is configured on the failover Interface.
I have defined two routes etc, and the failover part Works fine, but the behaviour is not as expected in the AnyConnect client when the primary ISP fail. AnyConnect will eventually notice that the Connection is broken, and it will try to reconnect. The problem is that it never tries the server in the "Backup server list", it just continues to make requests to the primary isp ip. If i disconnect, and try a new Connect, it first tries the primary (wich fails), and then it tries the backup server (with success).
When the primary ISP comes back online, the Client will remain Connected, and it seems like it does the reconnect without making any notice of it in the Client. The automatic switch back from secondary isp to primary isp is Perfect, but i dont understand why it would be necessary to do a disconnect/Connect when the primary ISP fail, i would assume that it would try the secondary ISP without the need for a disconnect.
Is there a reason for this behavior, or is there anything i could do in my config to make the Client try a Connection to a backup server when the Connection to the primary server is broken?
This is an expected behaviour and is discussed in the shared link. In ideal scenario, if the primary server IP is not reachable , user should get prompt that a problem was encountered and that they should attempt a login again (you will need to uncheck "Auto Reconnect" in client's Anyconnect XML profile for this). Once you try to connect again, it should allow you to connect to backup server.
This is since the VPN headend has to be selected prior to AAA parameters. For further information , please check the link:- https://tools.cisco.com/bugsearch/bug/CSCte15276/?reffering_site=dumpcr
In my scenario there is only 1 ASA with two outside interfaces isp1 and isp2. If the primary ISP goes down, the client has the public ip of isp2 configured in the backup server list. I just wanted to be sure that there is no workaround when the session is not made to another ASA, but in fact just a different ip/interface on the same ASA.
I am a bit reluctant to turn of the "Auto reconnect" feature as it would affect the client behaviour beyond the scope of the problem mentioned above.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :