Showing results for 
Search instead for 
Did you mean: 

ASAv HA in Azure proper failover with Anyconnect clients

Hello community, you are awesome!


I am going to deploy two ASAv in HA in azure, main purpose will be site-to-site and Anyconnect RA.


The two ASA will be active/standby, cloud failover is a bit different than on prem ASAs. When failover event happens backup ASA just change the UDRs pointing the routes to its interfaces and become active. All these is controlled by external load balancer and API agent.

For Anyconnect RA I am using traffic manager pointing ASA-1 as a priority and all clients are connecting via one DNS name.

So far so good. In normal scenario Anyconnect user connects to ASA-1 and site-to-site tunnels as well.


When I simulate failover by completely shutting down ASA-1, everything is good, traffic manager points Anyconnect to ASA-2 and Ipsec tunnels are redirected.


Problem comes when for example the active asa got rebooted and then came back online. By this time the failover kicked in and secondary become active. We got into situation where ASA-1 is backup but online, ASA-2 is active and Traffic manager is pointing Anyconnect users to connect to ASA-1 which is not okay due to inside routes are pointing to ASA-2 at this time.

Of course, if I login and make ASA-1 active, everything will be good. But it doesn’t happen automatically by design of Cisco.


My question is, how can I make Traffic manager to point the connections to the current Active ASA in those situations.


Is there anybody deployed such design ASAv in HA in azure and made Anyconnect RA working properly when failover happens?


Thanks a lot for your help!

Content for Community-Ad