FTD getting remote users connected on its standby unit.

sam cook · ‎04-02-2021

Hi

we have 2 FTD 2110 on 6.4 Version and in actif-passif high availability mode.

And yet we see some remote access anyconnect users connected on the standby unit, is it normal ?

we are going to shut the standby unit, is there any production cut risk on these users ?

thanks

Marvin Rhoads · ‎04-02-2021

In an HA pair, the standby synchronizes the VPN connection state table with the primary. This is so that, in the event of a failover, the users don't have to re-establish a VPN connection.

Shutdown or disconnection of the standby unit will not have any effect on these users' session to the primary unit.

sam cook · ‎04-02-2021

Hi Marvin,

Thank you, but the strange thing is that i see users connected on the standby unit but i can not see them on the primary one.

If it was simply VPN connection state table synchronization, i should have seen same users on both appliances but still it's not the case.

Marvin Rhoads · ‎04-03-2021

That is odd. Does "show vpn-sessiondb anyconnect detail" show the users as active? Do those users show up on the active unit at all? Could you contact one of them personally and inquire about their status from their perspective? If you force a logoff for that user from the FTD side do they reconnect to the active unit?

Sheraz.Salim · ‎04-05-2021

@marvin and @sam I have seem this issue in production network. where end user s/he was connected to standby FTD public ip address. in my case this paticular use was able to connect to FTD (connected to standby ip address).

please do not forget to rate.