10-11-2023 10:53 AM
how to configure failover in flex anyconnect vpn?
There are two routers - primary and secondary. If primary is not reachable, the remote vpn should failover to the secondary one. How do I achieve it ?
Couldn't find any relevant solution. PLEASE HELP.
Solved! Go to Solution.
10-12-2023 01:55 PM
crypto ikev2 profile ANYCONNECTPROF
no anyconnect profile customervpn
10-11-2023 11:17 AM - edited 10-11-2023 11:19 AM
@MriduD you can control this from the client side. Use the AnyConnect VPN Profile Editor and specify the list of backup/secondary servers. When the VPN to the primary VPN headend fails, anyconnect will attempt to connect to the secondary/backup server. Example:
10-11-2023 11:55 AM
Thank you for your response, Rob. I shall implement it and test.
10-12-2023 05:22 AM
Hi Rob, it didn't work.
10-11-2023 04:47 PM
is primary and secondary at the same location? if it so, you can try LB VPN.
10-12-2023 05:23 AM
I have never configured LB vpn. I m not sure
10-12-2023 11:04 AM
Hello Guys,
I am working with @MriduD on this case and I will try to explain the scenario with our configs.
We have two Cisco 1121 routers (IOS-XE Version 17.09.03a) and we have configured Anyconnect IKEv2 remote VPN using the below link.
https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html
The Anyconnect works fine when we tested the connection individually in the client side for both the routers (primary and backup). Also, when we shutdown the primary link, we got the message saying "Failed connecting to 1.1.1.1, trying backup 2.2.2.2" and we got the login prompt for the backup router. After getting authenticated, we got the following error ""Automatic profile updates are disabled and the local VPN profile does not match the secure gateway VPN profile. Contact your system administrator."
The profile names are similar in both the routers and in the client computer as well i.e., acvpn.xml. Any alternate names did not help in establishing the VPN individually to these routers. We use the public IP instead of the FQDN under Server list -> Primary Server.
The primary router's VPN profile has only 1.1.1.1 configured and backup router's profile has 2.2.2.2. The client side VPN profile under Anyconnect folder of C:/ProgramData has 1.1.1.1 as primary and 2.2.2.2 as backup server (please refer 1.png and 2.png file).
Also, we tried adding the backup server IP in the "Backup servers" tab as well, but it didnt work (refer 3.png and 4.png file).
We see the failover is initiated from the client side but it is unable to connect to the router to profile mismatch I believe. Also, the following commands are disabled and the Bypassdownloader is set to True in the AnyconnectLocalPolicy XML profile.
Kindly review the attachments, configurations and any leads will be much appreciated.
10-12-2023 11:12 AM
@Rajesh11735 the VPN XML profile on the client differs from the XML profile on the hub routers, either disable profile distribution on the routers or align the XML profile on the routers and client.
10-12-2023 11:35 AM
@Rob Ingram , Thanks for your inputs again. I tried to match up the XML profiles in both routers (primary and backup) and on the client side, but it didnt work. I tried two scenarios.
1. The primary router's profile has 1.1.1.1 as primary server and 2.2.2.2 as backup. The IP's were interchanged (2.2.2.2 as primary, 1.1.1.1 as backup) in the secondary router. The primary router's XML profile was used on the client side.
2. The primary and the secondary router's profile has 1.1.1.1 as primary server IP and 2.2.2.2 as backup. The same XML profile was used on the client side.
Do we have any command to disable profile distribution on the router? I am unable to find it. Please help.
10-12-2023 01:55 PM
crypto ikev2 profile ANYCONNECTPROF
no anyconnect profile customervpn
10-13-2023 06:01 AM
Hi Rob, We'll use this command and test again.
We'll update you.
10-18-2023 03:30 AM
Thank you so much, Rob.
Sir, it did work successfully on our test environment. We shall implement it on our clients side. In case we land into any issue, I shall irk you again. Hope you wouldn't mind
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide