cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1643
Views
2
Helpful
11
Replies

Anyconnect flex vpn failover

MriduD
Level 1
Level 1

how to configure failover in flex anyconnect vpn? 

There are two routers - primary and secondary. If primary is not reachable, the remote vpn should failover to the secondary one. How do I achieve it ?

Couldn't find any relevant solution. PLEASE HELP.

1 Accepted Solution

Accepted Solutions

@Rajesh11735 

crypto ikev2 profile ANYCONNECTPROF
 no anyconnect profile customervpn

View solution in original post

11 Replies 11

@MriduD you can control this from the client side. Use the AnyConnect VPN Profile Editor and specify the list of backup/secondary servers. When the VPN to the primary VPN headend fails, anyconnect will attempt to connect to the secondary/backup server. Example:

RobIngram_0-1697048348574.png

 

 

Thank you for your response, Rob. I shall implement it and test. 

Hi Rob, it didn't work.

ajc
Level 7
Level 7

is primary and secondary at the same location? if it so, you can try LB VPN.

I have never configured LB vpn. I m not sure

Rajesh11735
Level 1
Level 1

 

Hello Guys,

I am working with @MriduD on this case and I will try to explain the scenario with our configs.

We have two Cisco 1121 routers (IOS-XE Version 17.09.03a) and we have configured Anyconnect IKEv2 remote VPN using the below link.

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html

The Anyconnect works fine when we tested the connection individually in the client side for both the routers (primary and backup). Also, when we shutdown the primary link, we got the message saying "Failed connecting to 1.1.1.1, trying backup 2.2.2.2" and we got the login prompt for the backup router. After getting authenticated, we got the following error ""Automatic profile updates are disabled and the local VPN profile does not match the secure gateway VPN profile. Contact your system administrator."

The profile names are similar in both the routers and in the client computer as well i.e., acvpn.xml. Any alternate names did not help in establishing the VPN individually to these routers. We use the public IP instead of the FQDN under Server list -> Primary Server. 

The primary router's VPN profile has only 1.1.1.1 configured and backup router's profile has 2.2.2.2. The client side VPN profile under Anyconnect folder of C:/ProgramData has 1.1.1.1 as primary and 2.2.2.2 as backup server (please refer 1.png and 2.png file). 

Also, we tried adding the backup server IP in the "Backup servers" tab as well, but it didnt work (refer 3.png and 4.png file). 

We see the failover is initiated from the client side but it is unable to connect to the router to profile mismatch I believe. Also, the following commands are disabled and the Bypassdownloader is set to True in the AnyconnectLocalPolicy XML profile. 

Kindly review the attachments, configurations and any leads will be much appreciated. 


@Rajesh11735 the VPN XML profile on the client differs from the XML profile on the hub routers, either disable profile distribution on the routers or align the XML profile on the routers and client.

@Rob Ingram , Thanks for your inputs again. I tried to match up the XML profiles in both routers (primary and backup) and on the client side, but it didnt work. I tried two scenarios.

1. The primary router's profile has 1.1.1.1 as primary server and 2.2.2.2 as backup. The IP's were interchanged (2.2.2.2 as primary, 1.1.1.1 as backup) in the secondary router. The primary router's XML profile was used on the client side.
2. The primary and the secondary router's profile has 1.1.1.1 as primary server IP and 2.2.2.2 as backup. The same XML profile was used on the client side.

Do we have any command to disable profile distribution on the router? I am unable to find it. Please help.

@Rajesh11735 

crypto ikev2 profile ANYCONNECTPROF
 no anyconnect profile customervpn

Hi Rob, We'll use this command and test again. 

We'll update you.

Thank you so much, Rob.

Sir, it did work successfully on our test environment. We shall implement it on our clients side. In case we land into any issue, I shall irk you again. Hope you wouldn't mind