Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1209
Views
0
Helpful
4
Replies

FTD getting remote users connected on its standby unit.

sam cook
Spotlight
Spotlight

‎04-02-2021 03:11 AM

Hi

 

we have 2 FTD 2110 on 6.4 Version and in actif-passif high availability mode.

 

And yet we see some remote access anyconnect users connected on the standby unit, is it normal ?

 

we are going to shut the standby unit, is there any production cut risk on these users ?

 

thanks

0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-02-2021 03:52 AM

In an HA pair, the standby synchronizes the VPN connection state table with the primary. This is so that, in the event of a failover, the users don't have to re-establish a VPN connection.

Shutdown or disconnection of the standby unit will not have any effect on these users' session to the primary unit.

0 Helpful

sam cook
Spotlight
Spotlight
In response to Marvin Rhoads

‎04-02-2021 06:54 AM

Hi Marvin,

 

Thank you, but the strange thing is that i see users connected on the standby unit but i can not see them on the primary one.

 

If it was simply  VPN connection state table synchronization, i should have seen same users on both appliances but still it's not the case.

 

 

 

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-03-2021 07:53 AM

That is odd. Does "show vpn-sessiondb anyconnect detail" show the users as active? Do those users show up on the active unit at all? Could you contact one of them personally and inquire about their status from their perspective? If you force a logoff for that user from the FTD side do they reconnect to the active unit?

0 Helpful

Sheraz.Salim
VIP
VIP
In response to Marvin Rhoads

‎04-05-2021 01:09 AM

@marvin and @sam I have seem this issue in production network. where end user s/he was connected to standby FTD public ip address. in my case this paticular use was able to connect to FTD (connected to standby ip address).

 

please do not forget to rate.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card