Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Automatic failover - AnyConnect

I have an ASA configured with dual ISP using two Interfaces and tracking/monitoring.

 

The primary ISP is configured on the outside Interface, and the secondary ISP is configured on the failover Interface.

 

I have defined two routes etc, and the failover part Works fine, but the behaviour is not as expected in the AnyConnect client when the primary ISP fail. AnyConnect will eventually notice that the Connection is broken, and it will try to reconnect. The problem is that it never tries the server in the "Backup server list", it just continues to make requests to the primary isp ip. If i disconnect, and try a new Connect, it first tries the primary (wich fails), and then it tries the backup server (with success).

 

When the primary ISP comes back online, the Client will remain Connected, and it seems like it does the reconnect without making any notice of it in the Client. The automatic switch back from secondary isp to primary isp is Perfect, but i dont understand why it would be necessary to do a disconnect/Connect when the primary ISP fail, i would assume that it would try the secondary ISP without the need for a disconnect.

 

Is there a reason for this behavior, or is there anything i could do in my config to make the Client try a Connection to a backup server when the Connection to the primary server is broken?

 

 

2 REPLIES
Cisco Employee

Hi Kenneth,This is an

Hi Kenneth,

This is an expected behaviour and is discussed in the shared link.
In ideal scenario, if the primary server IP is not reachable , user should get prompt that a problem was encountered  and that they should attempt a login again (you will need to uncheck "Auto Reconnect" in client's Anyconnect XML profile for this). Once you try to connect again, it should allow you to connect to backup server.

This is since the VPN headend has to be selected prior to AAA parameters.
For further information , please check the link:-
https://tools.cisco.com/bugsearch/bug/CSCte15276/?reffering_site=dumpcr

Regards,

Dinesh Moudgil

P.S. Please rate the helpful posts.

New Member

Thank you for responding

Thank you for responding Dinesh,

In my scenario there is only 1 ASA with two outside interfaces isp1 and isp2. If the primary ISP goes down, the client has the public ip of isp2 configured in the backup server list. I just wanted to be sure that there is no workaround when the session is not made to another ASA, but in fact just a different ip/interface on the same ASA.

I am a bit reluctant to turn of the "Auto reconnect" feature as it would affect the client behaviour beyond the scope of the problem mentioned above.

362
Views
0
Helpful
2
Replies
CreatePlease login to create content