cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2200
Views
0
Helpful
3
Replies

AnyConnect Client Profile CONFIGURATION replication issues

Patrick Bixler
Enthusiast
Enthusiast

Before I get too deep into this, I want to specify that this is not the profile (.xml) file that I am referring to, but the actual configuration found in the CLI or ASDM.

 

I understand that the following are not replicated between an active and standby.

 

• AnyConnect images

• CSD images

• ASA images

• AnyConnect profiles

• Local Certificate Authorities (CAs)

• ASDM images

 

My issue is that I had configured over 50 different AnyConnect Client Profiles on my Primary-Active unit.  On ASDM this is under Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile.  In the CLI, this is the global "webvpn" configuration that looks something like this.

 

webvpn
  enable outside
    anyconnect-custom-attr no-dhcp-server-route
    anyconnect image disk0:/anyconnect-win-4.4.00243-webdeploy-k9.pkg 1
    anyconnect image disk0:/anyconnect-macos-4.4.00243-webdeploy-k9.pkg 2
    anyconnect image disk0:/anyconnect-linux64-4.4.00243-webdeploy-k9.pkg 3
    anyconnect profiles VPN1 disk0:/vpn1.xml
    anyconnect profiles VPN2 disk0:/vpn2.xml
    anyconnect profiles VPN3 disk0:/vpn3.xml
    anyconnect profiles VPN4 disk0:/vpn4.xml
    anyconnect profiles VPN5 disk0:/vpn5.xml
    anyconnect profiles VPN6 disk0:/vpn6.xml
    anyconnect profiles VPN7 disk0:/vpn7.xml
    anyconnect profiles VPN8 disk0:/vpn8.xml
    anyconnect profiles VPN9 disk0:/vpn8.xml
  anyconnect enable
  tunnel-group-list enable
  cache
    disable
  error-recovery disable

 

There were 9 previously configured Client profiles that go back a few years.  The other 40+ were added over the past year. 

 

What happened is our appliances failed over on March 5th without us knowing about it.  Since then we have added a couple of Site to Site VPNs, so there has been numerous times that the configuration has been saved on the now Secondary-Active appliance.

 

I have a configuration dated Feb 13, 2019, that shows the 50+ "anyconnect profiles" under the global webvpn section.  That is when we were running Primary-Active.  Today, the Primary-Standby unit only shows 9 "anyconnect profiles" under that global webvpn section.  What that means is that those other 40+ profiles have been removed.

 

We added one of those missing anyconnect profiles back into the configuration and saved it on the Standby-Active unit, but it did not replicate that configuration to the Primary-Standby unit.

 

I know that Cisco has some faulty logic on some other products, but this doesn't make sense.

 

IF the "anyconnect profiles" under the webvpn in the CLI (in ASDM the AnyConnect Client Profiles) is not replicated from the Active to Standby appliance, then why is it that my Primary-Standby appliance no longer has the previous configurations?  This seems like that while the profile is not replicated from active to standby that anything on the standby that is not on the active is removed.  Again .. faulty logic.

 

What this means is that I am recreating 40+ profiles today on both appliances to ensure they are the same.  

 

Comments welcome.

3 Replies 3

Patrick Bixler
Enthusiast
Enthusiast

To add to this, under the group-policy, the following has been removed for those same 40+ profiles.

 

  webvpn

    anyconnect profiles value VPN25 type user

 

 

I manually added the missing "anyconnect profiles" from the global webvpn setting on the Secondary-Active and it replicated the configuration to the Primary-Standby as it should.  I also added the missing webvpn settings under the affected group policies and those replicated as well.

 

The only way that I can think of how this broke was when the Primary was active, the configuration for these profiles did not sync because the associated .xml file was not on the Secondary-Standby appliance.  So when the failover occurred and changes were made on the Secondary-Active, those configurations that did not exist turned into removals on the now Primary-Standby.  

 

 

 

 

I agree that the logic is messed up. But this is how it works:

 

When you create the xml profile on the active unit via ASDM, it saves the xml file in flash:/. It also enables the profile under the global webvpn settings. At this point, the ASA creates a cached profile of the actual xml file under the directory cache"/stc/profiles, which is then referenced for all the configuration (including the group-policy). This cache file creation only happens when the command gets applied on the webvpn settings. 

 

Once you transfer the xml file to the standby unit, you have to re-apply that command on the active unit again, so that the cache file gets created on the standby unit. This is documented here:

 

The ASA uses a cached file for the AnyConnect client profile stored in cache:/stc/profiles, and not the file stored in the flash file system. To replicate the AnyConnect client profile to the standby unit, perform one of the following:
Enter the write standby command on the active unit.
Reapply the profile on the active unit.
Reload the standby unit

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/configuration/general/asa-910-general-config/ha-failover.html#ID-2107-00000205

 

Your theory about how this could have happened seems correct. My suggestion is to transfer the xml files manually and then re-apply the webvpn profile commands manually. This should ensure that the xml profile cache files are created on the standby.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: