Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2657
Views
0
Helpful
2
Replies

Automatic failover - AnyConnect

kennethgrande
Level 1
Level 1

‎05-15-2014 07:13 AM - edited ‎02-21-2020 07:38 PM

I have an ASA configured with dual ISP using two Interfaces and tracking/monitoring.

 

The primary ISP is configured on the outside Interface, and the secondary ISP is configured on the failover Interface.

 

I have defined two routes etc, and the failover part Works fine, but the behaviour is not as expected in the AnyConnect client when the primary ISP fail. AnyConnect will eventually notice that the Connection is broken, and it will try to reconnect. The problem is that it never tries the server in the "Backup server list", it just continues to make requests to the primary isp ip. If i disconnect, and try a new Connect, it first tries the primary (wich fails), and then it tries the backup server (with success).

 

When the primary ISP comes back online, the Client will remain Connected, and it seems like it does the reconnect without making any notice of it in the Client. The automatic switch back from secondary isp to primary isp is Perfect, but i dont understand why it would be necessary to do a disconnect/Connect when the primary ISP fail, i would assume that it would try the secondary ISP without the need for a disconnect.

 

Is there a reason for this behavior, or is there anything i could do in my config to make the Client try a Connection to a backup server when the Connection to the primary server is broken?

 

 

Labels:
0 Helpful
2 Replies 2

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎05-17-2014 08:34 PM

Hi Kenneth,

This is an expected behaviour and is discussed in the shared link.
In ideal scenario, if the primary server IP is not reachable , user should get prompt that a problem was encountered  and that they should attempt a login again (you will need to uncheck "Auto Reconnect" in client's Anyconnect XML profile for this). Once you try to connect again, it should allow you to connect to backup server.

This is since the VPN headend has to be selected prior to AAA parameters.
For further information , please check the link:-
https://tools.cisco.com/bugsearch/bug/CSCte15276/?reffering_site=dumpcr

Regards,

Dinesh Moudgil

P.S. Please rate the helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

kennethgrande
Level 1
Level 1
In response to Dinesh Moudgil

‎05-19-2014 02:38 AM

Thank you for responding Dinesh,

In my scenario there is only 1 ASA with two outside interfaces isp1 and isp2. If the primary ISP goes down, the client has the public ip of isp2 configured in the backup server list. I just wanted to be sure that there is no workaround when the session is not made to another ASA, but in fact just a different ip/interface on the same ASA.

I am a bit reluctant to turn of the "Auto reconnect" feature as it would affect the client behaviour beyond the scope of the problem mentioned above.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents