Solved: Anyconnect connection for ISP1 fails, ISP2 works

mcgiga · ‎10-09-2024

Hi,

I have configured two ISPs (WAN1, WAN2). VPN with anyconnect was already working for both ISPs. Today when doing final tests, VPN for ISP1 on WAN1 is not working anymore. ISP2 on WAN2 still works.

ASA log shows:

1	Starting SSL handshake with client WAN1: 10.10.10.10/50083 to  10.10.10.6/443 for TLS session
2	Device selects trust-point ASDM_TrustPoint1 for client WAN1: 10.10.10.10/50083 to  10.10.10.6/443
3	Device completed SSL handshake with client WAN1: 10.10.10.10/50083 to  10.10.10.6/443 for TLSv1.3 session
4	SSL session with client WAN1: 10.10.10.10/50083 to  10.10.10.6/443 terminated
5	Teardown TCP connection 9360 for WAN1: 10.10.10.10/50083 to identity: 10.10.10.6/443 duration 0:00:00 bytes 3906 TCP Reset-O from identity
6	Deny TCP (no connection) from  10.10.10.10/50083 to  10.10.10.6/443 flags FIN ACK  on interface WAN1

I don't have a clue what the issue could be.

mcgiga · ‎10-10-2024

We have found the cause in cooperation with Cisco TAC.

We needed to configure a group URL in the tunnel group profile, i. e. vpn1.domain.com/TunnelGroupName

It's unclear why this group URL is not needed for the configured backup server in the anyconnect XML. The second vpn connection was still working but not the primary one.

View solution in original post

balaji.bandi · ‎10-09-2024

what model of ASA and what Code running on that. is the ASA behind NAT for teh VPN ?

how are you load-balancing the VPN connection over DNS ?

check some configuration reference ( Also provide the config you have, removing confidential information)

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/68328-remotevpn-loadbal-asa.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

mcgiga · ‎10-09-2024

It's a Secure Firewall 3105 running ASA. Version is 9.20(3)4. ASA is located behind both ISP routers.

There is no load balacing. ISP1 is used for VPN primary. If ISP1 fails and ASA switches to ISP2 with it's default route we connect to that WAN ip address. There are two a-records in dns for each ISP (like VPN1.domain, VPN2.domain). Anyconnect has VPN2 specified as backup server.

It's weird because everything was working. I don't know what changes could have caused it. Previously we had running 9.20(3).

mcgiga · ‎10-09-2024

I have downgraded to 9.20(3) but the issue still exists.

MHM Cisco World · ‎10-09-2024

Hi'

Do packet capture in both WAN interface'

Use IP of anyconnect PC (real IP not IP assign from vpn pool) in your capture.

I think you have asymmetric traffic that lead to make tcp teardown.

MHM

mcgiga · ‎10-09-2024

What/how do I have to do?

Packet tracer was fine but maybe not precisely enough.

MHM Cisco World · ‎10-09-2024

Not packet tracer' but capture

If the traffic is asymmetric then it will drop.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html

MHM

mcgiga · ‎10-09-2024

I will capture it later and come back.

I tought about asymetric routing but don't know where that should happen.

balaji.bandi · ‎10-10-2024

Post high level diagram to have look.,

how does the ASA know the ISP1 Failed and failover required to other ISP2 ?

ISP Router managed by you ?

can you post the configuration. also refer the document which i have posted.

how does the DNS works ? round robin ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

mcgiga · ‎10-10-2024

We have found the cause in cooperation with Cisco TAC.

We needed to configure a group URL in the tunnel group profile, i. e. vpn1.domain.com/TunnelGroupName

It's unclear why this group URL is not needed for the configured backup server in the anyconnect XML. The second vpn connection was still working but not the primary one.

MHM Cisco World · ‎10-11-2024

Sorry can you more elaborate about TAC suggestion

Thanka a lot

MHM