Effect of manual failover on established AnyConnect sessions?

Max-Morten Conrad · ‎05-07-2020

Hi forums,

just a quick question regarding behaviour of AnyConnect sessions in the case of manually performed failover. Naturally, the VPN sessiondb is synced over an ASA failover cluster. My assumption is that when a manual failover of the cluster nodes is performed (via 'failover active' on standby node), VPN sessions are practically unaffected for the end users (i.e no disconnect of VPN session, maybe a loss of a few packets?). Is that assumption correct?

Many thanks and best regards,

Max Conrad

Sheraz.Salim · ‎05-07-2020

Yes this is correct.

please do not forget to rate.

m.andersson.se · ‎03-29-2023

Hi!

Thats not the case for me... Cisco Firepower 1140 (9.16.3.190) Active/Standby konfiguration and State Failover configured.

I´m always doing upgrade for clusters with AnyConnect configured because 95% of the sessions don´t survive a failover.

What have I missed in my config?

hsahman · ‎08-03-2023

Not for me either... the convergence times have become significantly worse since 9.16.x.
Currently I have about 10 seconds packetloss on both ASAv and FPR4100 because the Anyconnect reconnects the tunnel. We are using TLS/DTLSv1.2.

The failover and anyconnect setup has not been changed since 9.14 (except for better encrytion parameters and newer client versions).

Is there a best practice recommendation here to tweak the convergence times?

Marvin Rhoads · ‎08-03-2023

I see RA VPN failover working seamlessly on my clients' ASA and FTD firewall HA pairs alike. I have upgraded dozens going back several versions and most often I do it from a VPN-connected client. Usually I don't see anything or at most a brief (<5 seconds) loss of connectivity if I am using an RDP session to a jump box.

tvotna · ‎08-04-2023

This may depend on scale and software version, because there is a known issue with SSL VPN failover: CSCvr92291. Unfortunately, it's unknown in which interim versions this issue was fixed, if it was.

Despite session replication, TLS and DTLS sessions need to be re-established via session resume, 'V' routes recreated, traffic is affected for few seconds.

hsahman · ‎08-04-2023

Thank you guys,

@tvotnathis sounds similar to what we expiriance... The bug is marked as fixed... unfortunatly there is no Known Fixed Releases announced ... yeah.

Is there something I can do to tweak the config ?
Currently I'm running 9.16.4.27 with secure-client 5 and the needed licensing.
Client connection details:
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-128 DTLS-Tunnel: (1)AES-GCM-128 Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA256 DTLS-Tunnel: (1)SHA256
Encapsulation: TLSv1.2 / DTLSv1.2

Have a nice weekend!

tvotna · ‎08-07-2023

I don't think config tweaks can help here.

tvotna · ‎08-08-2023

The bug I mentioned has never been fixed in public versions. It was fixed in a private branch only. You may want to open TAC case to clarify why.