cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4383
Views
10
Helpful
12
Replies

Anyconnect optimized gateway selection question

Deepak Ambotkar
Level 1
Level 1

Hello,

I am in the process of evaluating Cisco Anyconnect VPN for my company. Can anyone please let me know what will happen to the client if optimized selected gateway is full?

Thanks,

Deepak

2 Accepted Solutions

Accepted Solutions

Hi,

With Optimal Gateway Selection the first time AC runs on the machine checks the RTT response from each server / gateway configured in the XML file and will use the one with the lowest value as the primary gateway.

These results will be cached by the client, so in case the primary gateway fails or becomes somehow unresponsive, the AC will automatically use the second gateway in the list.

Since the AC clients performs the gateway evaluation only one time, it is recommended to test it from a stable connection.

More information:

AnyConnect Optimal Gateway Selection Operation

Please let me know if this answers your question.

Thanx.

Portu

View solution in original post

Deepak,

I think I know what you are asking because I ran into this.  If the gateway is available, running, and working but, for some reason you cannot connect, anyconnect will not try the backup list.  Some examples where the gateway is reachable but might not connect might be you run out of licenses, DAP policies are denying you, gateway misconfigure, gateway hung etc.  In this case, I don't think AnyConnect will attempt to connect to the backup list unless something changed in recent AnyConnect or the ASA codes.  In the scenarios I mention, I guess Cisco assumes since you hit a gateway, you're fine regardless of whether it fails or not.  I know because I had this issue a while back with our load balancing gateways.  One gateway was in a hung state where it was still reachable but would never complete new tunnels.  Load balancing kept sending new users to the 'bad' gateway, start connecting, error out, never connect.  User tries again to the load balancer, error out. Rinse and repeat.  Meanwhile the 'good' gateway was available, was listed individually in the backup list but anyconnect never attempted a connection since the 'bad' gateway was reachable.

I hope this helps.  I submitted an enhancement request to Cisco regarding this behavior which asked for anyconnect to try every server in the backup list if a tunnel is not established for any reason.  I don't know if that went anywhere though.

View solution in original post

12 Replies 12

Hi,

With Optimal Gateway Selection the first time AC runs on the machine checks the RTT response from each server / gateway configured in the XML file and will use the one with the lowest value as the primary gateway.

These results will be cached by the client, so in case the primary gateway fails or becomes somehow unresponsive, the AC will automatically use the second gateway in the list.

Since the AC clients performs the gateway evaluation only one time, it is recommended to test it from a stable connection.

More information:

AnyConnect Optimal Gateway Selection Operation

Please let me know if this answers your question.

Thanx.

Portu

good one.. I will come up with more if I have any...

Good news

Have a good one.

Javier,

Will the OGS work or fallback to the 2nd best gateway if users have PAC (Proxy auto-config) files configured?

Also if the OGS is full that doesn't necessarily mean that it is unresponsive. It should still reply to the client but unable to offer the service so is there any integrated mechanism that primary OGS will redirect client to the next best gateway

Thanks,

Deepak

Hi Deepak,

What you mean by "Full"? This is not VPN load-balancing.

AnyConnect will fallback to the next OG if the current gateway does not respond.

It will only work after a new client connection attempt.

Let me know.

Thanks again Javier.

Will the failover still work if users have PAC (proxy auto-config) files configured?

-Deepak

You are welcome!

I dont see any reason why it wouldn't

Deepak,

I think I know what you are asking because I ran into this.  If the gateway is available, running, and working but, for some reason you cannot connect, anyconnect will not try the backup list.  Some examples where the gateway is reachable but might not connect might be you run out of licenses, DAP policies are denying you, gateway misconfigure, gateway hung etc.  In this case, I don't think AnyConnect will attempt to connect to the backup list unless something changed in recent AnyConnect or the ASA codes.  In the scenarios I mention, I guess Cisco assumes since you hit a gateway, you're fine regardless of whether it fails or not.  I know because I had this issue a while back with our load balancing gateways.  One gateway was in a hung state where it was still reachable but would never complete new tunnels.  Load balancing kept sending new users to the 'bad' gateway, start connecting, error out, never connect.  User tries again to the load balancer, error out. Rinse and repeat.  Meanwhile the 'good' gateway was available, was listed individually in the backup list but anyconnect never attempted a connection since the 'bad' gateway was reachable.

I hope this helps.  I submitted an enhancement request to Cisco regarding this behavior which asked for anyconnect to try every server in the backup list if a tunnel is not established for any reason.  I don't know if that went anywhere though.

Tom,

This is another great explanation. That's what I am worried about. Well is it possible you can help me with the case or tkt# for the enhancement request with Cisco so that I will try to follow up and get more information on this?

Thanks,

Deepak

Deepak,

As mentioned by bravotom99 (5 stars) the AnyConnect will only detect a failure at a networking level. In other words, if the server does not respond to a connectivity test.

It is true that if your server is running out of licenses or if misconfigured, the AnyConnect will not try with the next server, since the primary one seems to be alive.

I am not in the office today, but please send me a private message tomorrow and I will check for any enhancement request.

On the other hand, if bravotom99 could send me the enhancement request in a Private message, that would help me a lot.

Thanks.

Please rate any helpful posts

Hi to all,

AC doesn't auto-select next gateway in server-list... Why?

________________________

"profile.xml" in attached file

After remove group-url from server-list, there was only FQDN of VPN gateways, then OGS works fine!