AnyConnect "Failover Server" configuration on FirePower 1120 ver. 7.2

BrianChernish · ‎01-27-2025

We have a Firepower 1120 running ver. 7.2 software and managed by FMC.

We have two ISP public IP addresses. We are attempting to configure a "Server Failover" address on the same firewall so if ISP 1 goes down that we can connect the VPN via ISP 2 address. The failover IP with the second ISP is working for internet traffic. We have created a profile with the Primary and Secondary connections, however when we are in a failover situation the AnyConnect session will not connect.

We do have a "Public CA" from GoDaddy on the firewall.

We have used the profile editor to inclue the failover IP, however when we try to connect during an ISP 1 failure, the client attemps to connect to the Primary address for a period of time and then pops a message saying it is going to try the failover. After a period of time it also fails.

Here is what is in our profile "XML" file:

<ServerList>
<HostEntry>
<HostName>MaranaVPN2</HostName>
<HostAddress>mas-asa-5525.ascentmro.com</HostAddress>
<UserGroup>{topsecret alias}</UserGroup>
<BackupServerList>
<HostAddress>xx.xx.xx.xx {ISP 2 address asigned to Firewall}</HostAddress>
</BackupServerList>
</HostEntry>
</ServerList>

Any assistance is appreciated.

Brian

Rob Ingram · ‎01-27-2025

@BrianChernish is the ISP2 interface configured as an access interface for RAVPN?

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/vpn-remote-access.html

To avoid certificate errors. You would also want to create an DNS hostname that resolves to the secondary ISP IP and use that instead of the IP address in the XML profile. Ensure you use a wildcard certificate or a certificate with two SAN entries (for the primary and secondary ISP hostname).