Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4382
Views
10
Helpful
12
Replies

Anyconnect optimized gateway selection question

Go to solution
Deepak Ambotkar
Level 1
Level 1

‎09-04-2012 12:36 AM - edited ‎02-21-2020 06:18 PM

Hello,

I am in the process of evaluating Cisco Anyconnect VPN for my company. Can anyone please let me know what will happen to the client if optimized selected gateway is full?

Thanks,

Deepak

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Javier Portuguez
Level 9
Level 9

‎09-04-2012 05:09 AM

Hi,

With Optimal Gateway Selection the first time AC runs on the machine checks the RTT response from each server / gateway configured in the XML file and will use the one with the lowest value as the primary gateway.

These results will be cached by the client, so in case the primary gateway fails or becomes somehow unresponsive, the AC will automatically use the second gateway in the list.

Since the AC clients performs the gateway evaluation only one time, it is recommended to test it from a stable connection.

More information:

AnyConnect Optimal Gateway Selection Operation

Please let me know if this answers your question.

Thanx.

Portu

View solution in original post

0 Helpful

Go to solution
bravotom99
Level 1
Level 1
In response to Deepak Ambotkar

‎09-06-2012 10:32 AM

Deepak,

I think I know what you are asking because I ran into this.  If the gateway is available, running, and working but, for some reason you cannot connect, anyconnect will not try the backup list.  Some examples where the gateway is reachable but might not connect might be you run out of licenses, DAP policies are denying you, gateway misconfigure, gateway hung etc.  In this case, I don't think AnyConnect will attempt to connect to the backup list unless something changed in recent AnyConnect or the ASA codes.  In the scenarios I mention, I guess Cisco assumes since you hit a gateway, you're fine regardless of whether it fails or not.  I know because I had this issue a while back with our load balancing gateways.  One gateway was in a hung state where it was still reachable but would never complete new tunnels.  Load balancing kept sending new users to the 'bad' gateway, start connecting, error out, never connect.  User tries again to the load balancer, error out. Rinse and repeat.  Meanwhile the 'good' gateway was available, was listed individually in the backup list but anyconnect never attempted a connection since the 'bad' gateway was reachable.

I hope this helps.  I submitted an enhancement request to Cisco regarding this behavior which asked for anyconnect to try every server in the backup list if a tunnel is not established for any reason.  I don't know if that went anywhere though.

View solution in original post

12 Replies 12

Go to solution
Javier Portuguez
Level 9
Level 9

‎09-04-2012 05:09 AM

Hi,

With Optimal Gateway Selection the first time AC runs on the machine checks the RTT response from each server / gateway configured in the XML file and will use the one with the lowest value as the primary gateway.

These results will be cached by the client, so in case the primary gateway fails or becomes somehow unresponsive, the AC will automatically use the second gateway in the list.

Since the AC clients performs the gateway evaluation only one time, it is recommended to test it from a stable connection.

More information:

AnyConnect Optimal Gateway Selection Operation

Please let me know if this answers your question.

Thanx.

Portu

0 Helpful

Go to solution
Deepak Ambotkar
Level 1
Level 1
In response to Javier Portuguez

‎09-04-2012 08:10 AM

good one.. I will come up with more if I have any...

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to Deepak Ambotkar

‎09-04-2012 08:52 AM

Good news

Have a good one.

0 Helpful

Go to solution
Deepak Ambotkar
Level 1
Level 1
In response to Javier Portuguez

‎09-05-2012 12:58 AM

Javier,

Will the OGS work or fallback to the 2nd best gateway if users have PAC (Proxy auto-config) files configured?

Also if the OGS is full that doesn't necessarily mean that it is unresponsive. It should still reply to the client but unable to offer the service so is there any integrated mechanism that primary OGS will redirect client to the next best gateway

Thanks,

Deepak

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to Deepak Ambotkar

‎09-05-2012 05:32 AM

Hi Deepak,

What you mean by "Full"? This is not VPN load-balancing.

AnyConnect will fallback to the next OG if the current gateway does not respond.

It will only work after a new client connection attempt.

Let me know.

0 Helpful

Go to solution
Deepak Ambotkar
Level 1
Level 1
In response to Javier Portuguez

‎09-05-2012 07:26 AM

Thanks again Javier.

Will the failover still work if users have PAC (proxy auto-config) files configured?

-Deepak

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to Deepak Ambotkar

‎09-05-2012 07:29 AM

You are welcome!

I dont see any reason why it wouldn't

0 Helpful

Go to solution
bravotom99
Level 1
Level 1
In response to Deepak Ambotkar

‎09-06-2012 10:32 AM

Deepak,

I think I know what you are asking because I ran into this.  If the gateway is available, running, and working but, for some reason you cannot connect, anyconnect will not try the backup list.  Some examples where the gateway is reachable but might not connect might be you run out of licenses, DAP policies are denying you, gateway misconfigure, gateway hung etc.  In this case, I don't think AnyConnect will attempt to connect to the backup list unless something changed in recent AnyConnect or the ASA codes.  In the scenarios I mention, I guess Cisco assumes since you hit a gateway, you're fine regardless of whether it fails or not.  I know because I had this issue a while back with our load balancing gateways.  One gateway was in a hung state where it was still reachable but would never complete new tunnels.  Load balancing kept sending new users to the 'bad' gateway, start connecting, error out, never connect.  User tries again to the load balancer, error out. Rinse and repeat.  Meanwhile the 'good' gateway was available, was listed individually in the backup list but anyconnect never attempted a connection since the 'bad' gateway was reachable.

I hope this helps.  I submitted an enhancement request to Cisco regarding this behavior which asked for anyconnect to try every server in the backup list if a tunnel is not established for any reason.  I don't know if that went anywhere though.

Go to solution
Deepak Ambotkar
Level 1
Level 1
In response to bravotom99

‎09-06-2012 11:43 PM

Tom,

This is another great explanation. That's what I am worried about. Well is it possible you can help me with the case or tkt# for the enhancement request with Cisco so that I will try to follow up and get more information on this?

Thanks,

Deepak

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to Deepak Ambotkar

‎09-27-2012 10:48 AM

Deepak,

As mentioned by bravotom99 (5 stars) the AnyConnect will only detect a failure at a networking level. In other words, if the server does not respond to a connectivity test.

It is true that if your server is running out of licenses or if misconfigured, the AnyConnect will not try with the next server, since the primary one seems to be alive.

I am not in the office today, but please send me a private message tomorrow and I will check for any enhancement request.

On the other hand, if bravotom99 could send me the enhancement request in a Private message, that would help me a lot.

Thanks.

Please rate any helpful posts

0 Helpful

Go to solution
Anton Pestov
Level 1
Level 1
In response to Javier Portuguez

‎09-25-2012 11:59 PM

Hi to all,

AC doesn't auto-select next gateway in server-list... Why?

________________________

"profile.xml" in attached file

Preview file
4 KB
0 Helpful

Go to solution
Anton Pestov
Level 1
Level 1
In response to Anton Pestov

‎10-04-2012 10:42 PM

After remove group-url from server-list, there was only FQDN of VPN gateways, then OGS works fine!

0 Helpful
Customers Also Viewed These Support Documents