01-25-2018 10:47 AM - edited 02-21-2020 07:12 AM
Hi,
We have a couple of ASA 5515/wIPS in active/standby mode.
They both have exactly the same licenses.
The Cisco anyconnect VPN client works just fine with the primary ASA, but doesn't work (can not connect) with the stand-by one.
Is that a normal and expected behaviour?
Thanks in advance!
P.
01-25-2018 11:22 AM
Hi,
What errors does the client receive when they cannot connect?
Do you have the anyconnect package uploaded to both appliances?
Is failover functioning correctly?
01-25-2018 11:57 AM
Hi,
>What errors does the client receive when they cannot connect?
The error I get in the client is:
"Failed to read from SSL socket: A TLS packet with unexpected length was received"
I'm using the cisco anyconnect Linux client. Same client works ok with the primary ASA.
>Do you have the anyconnect package uploaded to both appliances?
Yes. Just to clarify, I'm trying to connect from a linux laptop to the ASA firewalls.
(the Primary works ok, the stand-by one does not)
>Is failover functioning correctly?
Yes, it does.
BR,
P.
01-26-2018 04:09 AM
A bit more details.
The issue is caused by "File not found." return by the standby ASA when anyconnect client is trying to hit the 443 port.
i.e.:
https://stand-by-IP/ returns 404 "File not found"
while the primary returns 302 redirect to:
https://primary-IP/+webvpn+/index.html
when the anyconnect client hits: https://primary-IP/
Any idea what could be wrong with the stand-by SAS?
01-26-2018 09:21 AM
This kind of error is typically caused when there is a file used for AnyConnect that is in flash on the primary and is not in flash on the standby. I suggest that you do a show of the content of flash on both ASA and carefully compare to see if something is missing on the standby.
HTH
Rick
01-26-2018 09:59 AM
Hi,
I checked the flash and all files and dirs seem exactly the same on both ASAs.
I wonder if the stand-by is returning this "File not found" because of it's stand-by mode?
P.
01-26-2018 02:21 PM
As I read this thread again I realize that there is something that we need to clarify. I had assumed that we were talking about the ASA after a failover event when the secondary/standby ASA was functioning as the active ASA. But I wonder if the original poster is attempting to connect to the standby ASA while it is still acting as standby. Can we get clarification on this?
HTH
Rick
01-26-2018 11:05 PM
Sure, let me clarify.
I'm attempting to connect to the standby ASA while it is still acting as standby.
P.
01-27-2018 07:27 AM
P
Thank you for the clarification. In this case I believe that you are seeing the expected behavior. You can access the standby ASA by SSH or Telnet or ASDM to be able to manage the device. But any active connection to pass data etc is expected to use the primary ASA,
HTH
Rick
01-27-2018 12:20 PM
ok, thank you for the info!
The thing is I'm able to connect with cisco anyconnect VPN client for windows to both Active and Stand-by ASAs.
And the linux client can connect to the active one only. So I thought there is something wrong with the stand-by ASA config.
P.
01-27-2018 02:41 PM - edited 01-27-2018 02:41 PM
P
I am surprised. I still believe that the expected behavior is that any connection to pass traffic is expected to be to the active ASA. But if you are successful in establishing a VPN connection for the Windows client then I am puzzled that it does not also work for the Linux client. My experience suggests that the usual cause of this kind of file not found is that some file used for AnyConnect is missing from the standby. Would you execute the command show disk0 | include linux on both ASA and post the output?
HTH
Rick
01-28-2018 12:11 AM
Hey, sure.
Here is the first active one:
FirewallA# show disk0
--#-- --length-- -----date/time------ path
11 4096 Feb 25 2013 07:36:12 log
22 4096 Feb 25 2013 07:36:26 crypto_archive
123 0 Feb 25 2013 07:36:26 nat_ident_migrate
23 4096 Feb 25 2013 07:36:26 coredumpinfo
24 59 Feb 25 2013 07:36:26 coredumpinfo/coredump.cfg
124 42637312 Feb 25 2013 07:44:46 IPS-SSP_5515-K9-sys-1.1-a-7.1-4-E4.aip
125 17851400 Feb 25 2013 07:55:20 asdm-66114.bin
126 37416960 Mar 11 2013 05:47:34 asa911-smp-k8.bin
127 17989292 Mar 11 2013 05:48:24 asdm-712.bin
128 4096 Feb 25 2013 07:59:10 sdesktop
140 1462 Feb 25 2013 07:59:10 sdesktop/data.xml
129 6487517 Feb 25 2013 07:59:10 anyconnect-macosx-i386-2.5.2014-k9.pkg
130 6689498 Feb 25 2013 07:59:10 anyconnect-linux-2.5.2014-k9.pkg
131 4678691 Feb 25 2013 07:59:12 anyconnect-win-2.5.2014-k9.pkg
132 30720326 Mar 11 2013 05:52:28 anyconnect-win-3.1.02040-k9.pkg
133 11071415 Mar 11 2013 05:53:20 anyconnect-linux-3.1.02043-k9.pkg
134 4096 Mar 11 2013 15:44:24 tmp
7994621952 bytes total (3821047808 bytes free)
FirewallA#
and here is the stand-by one:
FirewallA# show disk0
--#-- --length-- -----date/time------ path
11 4096 Feb 25 2013 01:50:00 log
22 4096 Feb 25 2013 01:50:14 crypto_archive
127 0 Feb 25 2013 01:50:16 nat_ident_migrate
23 4096 Feb 25 2013 01:50:16 coredumpinfo
24 59 Feb 25 2013 01:50:16 coredumpinfo/coredump.cfg
128 4096 Jan 01 1980 01:00:00 FSCK0000.REC
129 42637312 Feb 25 2013 01:59:20 IPS-SSP_5515-K9-sys-1.1-a-7.1-4-E4.aip
130 17851400 Feb 25 2013 02:07:50 asdm-66114.bin
131 37416960 Mar 11 2013 07:06:10 asa911-smp-k8.bin
132 17989292 Mar 11 2013 07:07:04 asdm-712.bin
133 4096 Feb 25 2013 02:11:40 sdesktop
147 1462 Feb 25 2013 02:11:40 sdesktop/data.xml
134 6487517 Feb 25 2013 02:11:40 anyconnect-macosx-i386-2.5.2014-k9.pkg
135 6689498 Feb 25 2013 02:11:40 anyconnect-linux-2.5.2014-k9.pkg
136 4678691 Feb 25 2013 02:11:42 anyconnect-win-2.5.2014-k9.pkg
137 2733 Mar 11 2013 07:06:18 oldconfig_2013Mrz11_1406.cfg
138 30720326 Mar 11 2013 07:08:04 anyconnect-win-3.1.02040-k9.pkg
139 11071415 Mar 11 2013 07:08:36 anyconnect-linux-3.1.02043-k9.pkg
140 4096 Mar 11 2013 07:29:56 tmp
7994621952 bytes total (3821039616 bytes free)
FirewallA#
P.
01-29-2018 02:25 PM
P
Thanks for this output. It does confirm that the same file for the Linux client is present on both ASA. Please post the output of the command show run | include linus
HTH
Rick
01-29-2018 09:08 PM
The only difference is:
>failover lan unit primary
<failover lan unit secondary
Everything else is the same.
P.
01-30-2018 10:43 AM
Thanks for the information. I am about out of ideas why the Linus client behaves differently from the Windows client. Perhaps someone else in the forum may come up with something else.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide