Anyconnect VPN issues

trilerian1 · ‎10-18-2023

Having a weird issue with anyconnect VPN. I am running 2 5545 ASAs in HA. If I am on my secondary ASA a specific vpn profile works just fine. However if I failover to my primary ASA, Anyconnect comes back with the following error.

AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again.

Other profiles however seem to work.

Rob Ingram · ‎10-18-2023

@trilerian1 any reason why the secondary was active in the first place? Was there an issue with the primary that caused a failover and this is not resolved? Run "show failover history" and "show failover" and provide the output.

trilerian1 · ‎10-18-2023

Actually, the primary had to have the control license updated, for some reason that had expired. Cisco TAC was confused as to why... So was I, to be honest. But why would that affect only 1 anyconnect profile?

Marvin Rhoads · ‎10-19-2023

Control licenses (for ASA Firepower service modules) are non-expiring. Also, they should not (in any case I can think of) affect AnyConnect remote access VPN at all.

I have seen issues with HA setups referring to xml profiles where one member does not have the profile files, causing the VPN to fail to establish for that connection profile.

trilerian1 · ‎10-19-2023

This profile was working on both the primary asa and the secondary up to last week. It just stopped working. The only other thing that I can think of is that I issued a new cert for the vpn, but I put that in the indentity certs and assigned it to the outside interfaces. And, the other anyconnect profiles are fine.

AViftrup · ‎10-19-2023

As mentioned by Marvin.

Keep in mind that XML profiles created aren't replicated between devices in a HA-pair. Make sure every time you change XML settings, that you copy the changes to the standby unit as well.

trilerian1 · ‎10-19-2023

I generally make changes in the ASDM. I also manage some FTDs, and I guess I am just used to pulling up a GUI for changes.

But regardless, we normally run on the primary ASA and I use the vpn everyday since I am remote.

Marius Gunnerud · ‎10-20-2023

Run a debug webvpn and then connect to AnyConnect, anything that stands out in the output?

--
Please remember to select a correct answer and rate helpful posts

AViftrup · ‎10-20-2023

Just keep in mind, even if you're doing changes on the active unit. If you change XML configuration (profile editor either standalone or through ASDM) the XML profiles aren't automatically replicated to the standby peer.

trilerian1 · ‎10-20-2023

I understand, but we generally run on the primary. This worked on the primary and stopped working for whatever reason. Now this tunnel only connects on the secondary.

The funny thing, I can connect while the secondary is active, then do a no failover active and stay connected.

Marius Gunnerud · ‎10-22-2023

While the primary ASA is active run a "dubug webvpn" and then connect to AnyConnect, and monitor the debug output to see if anything stands out.

--
Please remember to select a correct answer and rate helpful posts

trilerian1 · ‎10-23-2023

I will have to get someone else to help with this as I can't really debug my own session when I can't see the firewall...

Marvin Rhoads · ‎10-23-2023

Note you only have the two built-in free AnyConnect licenses. If you attempt to connect a third session it will give an error on the client similar to what you have reported.

MHM Cisco World · ‎10-23-2023

Yes but peer (active HA FW) have license for 2500 and it appear in vpn peer.

So if he access to active then he have up to 2500. When failed then the license will hosted by standby and also he Wil get up to 2500.

The issue I think when failover the detection is not fast that why anyconnect failed since license not hosted until failover completed done.

@trilerian1 do you change hello timer of HA?

MHM Cisco World · ‎10-23-2023

can I see

show version