ASAv HA in Azure proper failover with Anyconnect clients
Hello community, you are awesome!
I am going to deploy two ASAv in HA in azure, main purpose will be site-to-site and Anyconnect RA.
The two ASA will be active/standby, cloud failover is a bit different than on prem ASAs. When failover event happens backup ASA just change the UDRs pointing the routes to its interfaces and become active. All these is controlled by external load balancer and API agent.
For Anyconnect RA I am using traffic manager pointing ASA-1 as a priority and all clients are connecting via one DNS name.
So far so good. In normal scenario Anyconnect user connects to ASA-1 and site-to-site tunnels as well.
When I simulate failover by completely shutting down ASA-1, everything is good, traffic manager points Anyconnect to ASA-2 and Ipsec tunnels are redirected.
Problem comes when for example the active asa got rebooted and then came back online. By this time the failover kicked in and secondary become active. We got into situation where ASA-1 is backup but online, ASA-2 is active and Traffic manager is pointing Anyconnect users to connect to ASA-1 which is not okay due to inside routes are pointing to ASA-2 at this time.
Of course, if I login and make ASA-1 active, everything will be good. But it doesn’t happen automatically by design of Cisco.
My question is, how can I make Traffic manager to point the connections to the current Active ASA in those situations.
Is there anybody deployed such design ASAv in HA in azure and made Anyconnect RA working properly when failover happens?
GeneralWhich Cisco Secure products include access to SecureX?What are the SecureX data retention/privacy policies?What is SSE?How can I unlink my smart account from SSE and link it to a new account?Do I have to use the same SSE region as the SecureX regio...
More people are working remotely, and this increases the risk of security breaches and the difficulty in defending remote workers where they work and securing the devices they use.
Learn about Cisco Remote Secure Worker solutions that verify workers, secu...
GeneralWhich Cisco Secure products include access to SecureX?What are the SecureX data retention/privacy policies?What is SSE?How can I unlink my smart account from SSE and link it to a new account?Do I have to use the same SSE region as the Secur...
On December 8, FireEye reported that it had been compromised in a sophisticated supply chain attack: more specifically through the SolarWinds Orion IT monitoring and management software. The attackers leveraged business software updates in order to distr...