02-21-2011 10:54 AM - edited 08-24-2017 12:59 AM
Optimal Gateway Selection (OGS) is a feature that can be used for determining which gateway has the lowest RTT and connect to that gateway. Using the Optimal Gateway Selection (OGS) feature, administrators can minimize latency for Internet traffic without user intervention. With OGS, AnyConnect identifies and selects which secure gateway is best for connection or reconnection. OGS begins upon first connection or upon a reconnection at least four hours after the previous disconnection. More information can be foundin the Administrator's guide, this document explains how to troubleshoot issues with OGS.
A simple “ping” request will not work here as many ASA firewalls are configured to block ICMP packets in order to prevent discovery. Instead, the client will send three HTTP/443 requests to each headend that appears in a merge of all profiles. In order to ensure a (re)connection doesn't take too long, OGS by default selects the previous gateway if it doesn't receive any ping results within 7 seconds. (Look for "OGS ping results" in the log)
Note: The Anyconnect client should send an HTTP request to 443 as we don't care about getting a successful response, just a response. Unfortunately, the fix for proxy handling had the side-effect of sending all requests as HTTPS. See http://cdets.cisco.com/apps/dumpcr?&content=summary&format=html&identifier=CSCtg38672CSCtg38672 OGS should ping with HTTP requests
Enhancement CSCtk66531 was filed to make these settings user-configurable.
Once the calculation is done the results are stored in the preferencs_global file. In Windows it can be found under "C:\Documents and Settings\All Users\ApplicationData\Cisco". There have been issues with this data not being stored in the file before, refer bug CSCtj84626 for more details.
OGS caching works on a combination of DNS domain and individual DNS server IP addresses. It works as follows:
The most common use case is when a user at home runs OGS the first time it records the DNS settings and the ping results in the cache (defaults to 14 days timeout). When the user returns home the next evening OGS detects the same DNS settings, finds it in the cache and skips the ping test. Later when the user goes to a hotel or restaurant that offers internet service OGS detects different DNS settings, runs the ping tests, selects the best gateway and records the results in the cache.The processing is identical when resuming from a suspended or hibernate state, assuming the OGS and AnyConnect resume settings allow for it.
To clear the OGS cache in order to reevaluate the RTT of available gateways simply delete the Global AnyConnect Preferences file from the PC.
Tip: Sicne the capture is only for testing OGS, it's best to stop the captures as soon as the client selects a gateway. It's best to not run through a complete connection attempt as that can cloud the packet capture.
To verify why OGS selected a particular gateway:
Inspect the capture for the TCP/SSL probes used to calculate RTT. See how long the HTTPs request takes over a single TCP connection. Each probe request should use a different TCP connection. To do this open the capture in wireshark and repeat the following steps for each of the servers:
Once the capture is analysed for each server and the values are compared to those seen in the DART logs, if they all match up and it still seems like the wrong gateway is being selected, then it's due to one of two things:
1. Are there to many retransmissions from one particular headend, or any other such oddities seen in the probes?This could indicate an issue on the headned.
2. Fragmentation or large delays seen for one particular headend usually indicate problems with the ISP.
Q: Does OGS work with load balancing?
A: Yes. OGS will only be aware of the cluster master name and will use that for judging the nearest head-end.
Q: Does OGS work with proxy settings defined in the browser?
A: OGS doesn't support auto proxy or PAC files but does support a hard-coded proxy server. As such, OGS operation does not occur. The relevant log message is: "OGS will not be performed because automatic proxy detection is configured"
Thanks for this great contribution!
Hello,
Can you please let me know how will the client reach if the optimized gateway is full?
Thanks,
Deepak
very helpful information thanks.
That is very good info about OGS, Thanks !
Do you know if enhancement request CSCtk66531 will also include an option for user to manually force OGS to run again ?
No it does not. I've updated the bug so that more details are visible. They should be published to cisco.com shortly. I've also filed enhance #CSCum05373 to track your request.
Of note, OGS doesn't currently work correctly with Always On VPN. this incompatibility is referenced in CSCuq37889. Behaviour is that the first gateway which responds is selected as the "optimal" gateway. No other gateways are even checked. The file referenced as storing the selected gateway ends up empty.
I'd class this as a fairly bad bug, but it is currently classified as an "enhancement" request.
Hi Chris,
The reason that bug is an enhancement request is because OGS was never designed to work with Always ON VPN. However, because customers are using it in tandem we have decided to redesign the two features so that they may work together. If you would like to see this integration implemented soon please let your Account Manager know so they can follow up with the Anyconnect Product Manager.
Regards,
Atri
Hello,
I would like to know if OGS is still supported on anyconnect version 4.x?
I am trying to configure it using client 4.1 but I don't seem to have the right configuration. Is there a good guide that I can follow for the complete configuration?
Can we have a single domain name (testanyconnect.com) so that it can resolve more than one IP?
We would like to have two or more ASAs across the US being capable of accepting Anyconnect users. The users should be able to connect to the closest ASA.
Is that possible?
Paul Gilbert Arias, to present a single FQDN but be routed to the closest VPN gateway requires a global load balancer or sorts such as F5's Global Traffic Manager. This is basically an intelligent DNS server that uses GeoIP location to look up where the DNS query for your public FQDN is being sourced from and depending on the GeoIP database lookup will determine what IP the load balancer gives to the client. You would be able to control west based IP's to be served the IP address of your west VPN gateway and east based IP's to be served the IP address of your east VPN gateway. There is nothing built into the ASA to do this exact setup on it's own.
However, you could setup an AnyConnect Client Profile that has your VPN gateways predefined and use OGS so that the client can choose the closest VPN gateway based on the RTT values it gets from the probes. You'd want to be sure to disable the "User Controllable" option for OGS so that the users can't manually choose the gateway.
Many thanks for the complete 1 stop all you need to know about OGS / Kudos !!
Also Very much appreciate the great , on point , extremely useful comments left by @Atri Basu
More details can be found in this rich article created by Atri :
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: