Hi,

>What errors does the client receive when they cannot connect?
The error I get in the client is:

"Failed to read from SSL socket: A TLS packet with unexpected length was received"

I'm using the cisco anyconnect Linux client. Same client works ok with the primary ASA.

>Do you have the anyconnect package uploaded to both appliances?
Yes. Just to clarify, I'm trying to connect from a linux laptop to the ASA firewalls.
(the Primary works ok, the stand-by one does not)

>Is failover functioning correctly?
Yes, it does.

BR,

P.

A bit more details.

The issue is caused by "File not found." return by the standby ASA when anyconnect client is trying to hit the 443 port.

i.e.:

https://stand-by-IP/ returns 404 "File not found"
while the primary returns 302 redirect to:
https://primary-IP/+webvpn+/index.html
when the anyconnect client hits: https://primary-IP/

Any idea what could be wrong with the stand-by SAS?

This kind of error is typically caused when there is a file used for AnyConnect that is in flash on the primary and is not in flash on the standby. I suggest that you do a show of the content of flash on both ASA and carefully compare to see if something is missing on the standby.

HTH

Rick

Hi,

I checked the flash and all files and dirs seem exactly the same on both ASAs.

I wonder if the stand-by is returning this "File not found" because of it's stand-by mode?

P.

As I read this thread again I realize that there is something that we need to clarify. I had assumed that we were talking about the ASA after a failover event when the secondary/standby ASA was functioning as the active ASA. But I wonder if the original poster is attempting to connect to the standby ASA while it is still acting as standby. Can we get clarification on this?

HTH

Rick

Sure, let me clarify.

I'm attempting to connect to the standby ASA while it is still acting as standby.

P.

P

Thank you for the clarification. In this case I believe that you are seeing the expected behavior. You can access the standby ASA by SSH or Telnet or ASDM to be able to manage the device. But any active connection to pass data etc is expected to use the primary ASA,

HTH

Rick

ok, thank you for the info!

The thing is I'm able to connect with cisco anyconnect VPN client for windows to both Active and Stand-by  ASAs.

And the linux client can connect to the active one only. So I thought there is something wrong with the stand-by ASA config.

P.

P

I am surprised. I still believe that the expected behavior is that any connection to pass traffic is expected to be to the active ASA. But if you are successful in establishing a VPN connection for the Windows client then I am puzzled that it does not also work for the Linux client. My experience suggests that the usual cause of this kind of file not found is that some file used for AnyConnect is missing from the standby. Would you execute the command show disk0 | include linux on both ASA and post the output?

HTH

Rick 

Hey, sure.

Here is the first active one:

FirewallA# show disk0
--#-- --length-- -----date/time------ path
11 4096 Feb 25 2013 07:36:12 log
22 4096 Feb 25 2013 07:36:26 crypto_archive
123 0 Feb 25 2013 07:36:26 nat_ident_migrate
23 4096 Feb 25 2013 07:36:26 coredumpinfo
24 59 Feb 25 2013 07:36:26 coredumpinfo/coredump.cfg
124 42637312 Feb 25 2013 07:44:46 IPS-SSP_5515-K9-sys-1.1-a-7.1-4-E4.aip
125 17851400 Feb 25 2013 07:55:20 asdm-66114.bin
126 37416960 Mar 11 2013 05:47:34 asa911-smp-k8.bin
127 17989292 Mar 11 2013 05:48:24 asdm-712.bin
128 4096 Feb 25 2013 07:59:10 sdesktop
140 1462 Feb 25 2013 07:59:10 sdesktop/data.xml
129 6487517 Feb 25 2013 07:59:10 anyconnect-macosx-i386-2.5.2014-k9.pkg
130 6689498 Feb 25 2013 07:59:10 anyconnect-linux-2.5.2014-k9.pkg
131 4678691 Feb 25 2013 07:59:12 anyconnect-win-2.5.2014-k9.pkg
132 30720326 Mar 11 2013 05:52:28 anyconnect-win-3.1.02040-k9.pkg
133 11071415 Mar 11 2013 05:53:20 anyconnect-linux-3.1.02043-k9.pkg
134 4096 Mar 11 2013 15:44:24 tmp

7994621952 bytes total (3821047808 bytes free)
FirewallA#

and here is the stand-by one:

FirewallA# show disk0
--#-- --length-- -----date/time------ path
11 4096 Feb 25 2013 01:50:00 log
22 4096 Feb 25 2013 01:50:14 crypto_archive
127 0 Feb 25 2013 01:50:16 nat_ident_migrate
23 4096 Feb 25 2013 01:50:16 coredumpinfo
24 59 Feb 25 2013 01:50:16 coredumpinfo/coredump.cfg
128 4096 Jan 01 1980 01:00:00 FSCK0000.REC
129 42637312 Feb 25 2013 01:59:20 IPS-SSP_5515-K9-sys-1.1-a-7.1-4-E4.aip
130 17851400 Feb 25 2013 02:07:50 asdm-66114.bin
131 37416960 Mar 11 2013 07:06:10 asa911-smp-k8.bin
132 17989292 Mar 11 2013 07:07:04 asdm-712.bin
133 4096 Feb 25 2013 02:11:40 sdesktop
147 1462 Feb 25 2013 02:11:40 sdesktop/data.xml
134 6487517 Feb 25 2013 02:11:40 anyconnect-macosx-i386-2.5.2014-k9.pkg
135 6689498 Feb 25 2013 02:11:40 anyconnect-linux-2.5.2014-k9.pkg
136 4678691 Feb 25 2013 02:11:42 anyconnect-win-2.5.2014-k9.pkg
137 2733 Mar 11 2013 07:06:18 oldconfig_2013Mrz11_1406.cfg
138 30720326 Mar 11 2013 07:08:04 anyconnect-win-3.1.02040-k9.pkg
139 11071415 Mar 11 2013 07:08:36 anyconnect-linux-3.1.02043-k9.pkg
140 4096 Mar 11 2013 07:29:56 tmp

7994621952 bytes total (3821039616 bytes free)
FirewallA#

P.

P

Thanks for this output. It does confirm that the same file for the Linux client is present on both ASA. Please post the output of the command show run | include linus

HTH

Rick

The only difference is:

>failover lan unit primary

<failover lan unit secondary

Everything else is the same.

P.

Thanks for the information. I am about out of ideas why the Linus client behaves differently from the Windows client. Perhaps someone else in the forum may come up with something else.

HTH

Rick