AnyConnect Client Profile Backup Server Configuration

bsrulez02 · ‎02-22-2012

I'm trying to understand the use of Backup Server option in AnyConnect Client Profile

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile > Edit > Backup Server

(Screenshot attached)

My questions:

1. In what all scenarios do we add servers (ASA devices) in this tab

2. If I have same information in two different locations (Site A and Site B) for AnyConnect user, can I add Site A-ASA and Site B-ASA into Backup Server tab as a failover mechanism for end user.

3. Or is it only used to mention ASA devices configured in failover unit

4. In case of failover unit, does it support stateful failover

I could not find answers to above questions from Google search. So, asking here

swj · ‎02-03-2015

Yes you can use as Failover Mechanism.

Please check the same which is documented.

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/anyconnectadmin30/ac03vpn.html#pgfId-1455959

guibarati · ‎02-20-2015

Hi SWJ,

Do you know if the backup server configuration also works for IP Phones using anyconnect to connect to an ASA?

If I create the profile, is it going to be pushed to the phones after the first time they connect and they will keep it as a backup option?

Thank you,

Richard Burts · ‎02-22-2015

I think we need to be careful when we talk about failover. The original post was clearly asking about two different scenarios

1) ASAs at two different sites

2) ASAs configured as a High Availability failover pair (Active/Standby).

The profile does work to provide failover in 1) but does not work to provide failover in 2).

I do not know the authoritative answer to the question about IP phones use of the profile. I believe that the answer ought to be that yes the phone would receive the profile after its first connection and would use the backup server identified in the profile is the primary server was not available. That is a basic functionality of the AnyConnect client and if the phone is using the AnyConnect client then it ought to support that failover.

If someone does have an authoritative answer then please speak up. Several of us would like to know the right answer here.

HTH

Rick

HTH

Rick

Douglas Holmes · ‎07-22-2015

If my experience IOS (IPhone), Linux, Windows, MACOS with AnyConnect can all use the backup server entries in the AnyConnect profile. This is usually used when you have two data centers at diverse locations. Looks something like this inside the profile:

<HostName>hunkydory.aixrs.local</HostName>
                        <HostAddress>hunkydory.aixrs.local</HostAddress>
                        <BackupServerList>
                                <HostAddress>dornfest.aixrs.local</HostAddress>
                        </BackupServerList>
                        <PrimaryProtocol>IPsec</PrimaryProtocol>

Failover for the ASA when using AnyConnect does not require the use of "backup servers" in the AnyConnect profile. AnyConnect connections will failover instantly. This would be for ASA devices located in the same location where failover has been configured between device.

For option 1 the failover is in the client.

For option 2 the failover is in the ASA.

I see no reason that you could not use both, but you would need two sets of ASA's with different host names. Either located local or diverse.

brotherad · ‎08-14-2024

Hi Richard,

I know this is an old post, but was wondering if backup would work in the scenario with one FTD with two internet connections. They would use vpn1.example.com while ISP one is working, but if the firewall fails over to ISP two for whatever reason could it use vpn2.example.com and failover automatically? I appreciate your thoughts.

Thanks
Anthony