Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2486
Views
5
Helpful
4
Replies

AnyConnect reconnect automatically to backup server when the primary fails

Go to solution
ConstantNSAH8220
Level 1
Level 1

‎12-06-2019 01:46 PM

Hi Team,
We have 2 ISP with our Firepower and we are looking into redundancy for our AnyConnect VPN and we found the Backup Server.
Our request:
We just want AnyConnect to automatically reconnect to the Backup Server in the list when a remote anyconnect user loses connectivity on the primary connection.
Currently, AnyConnect is getting stuck and he is trying to reconnect to the primary, rather than going to the next backup server.

The workaround:
It works if the user manually disconnect the connection then re reconnect, it will first try the primary then it will go to the backup and successfully connect

We are running the latest version Anyconnect 4.X

In advance, thank for your help

 

Regards

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ConstantNSAH8220
Level 1
Level 1

‎12-12-2019 06:59 AM

Finally, I got an answers: this is documented via https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut96439/?reffering_site=dumpcr

 

------------------------

Symptom:
AnyConnect session fails or becomes stale. The backup servers mentioned in the XML profile are not attempted for fallback connection.

Conditions:
1. AC profile has a backup server list configured
2. AC user successful connects to primary server
3. Primary server is no longer reachable, resulting in a stale connection.
4. AC should eventually try to connect to the backup server without making the user manually disconnect. Currently, the user is forced to manually retry connecting to the primary ASA, which must fail to establish before the backup server list is attempted.

Workaround:
Manually disconnect from the original failing session, then reattempt. (this is the process we need to automate)

------------------------

View solution in original post

4 Replies 4

Go to solution
ConstantNSAH8220
Level 1
Level 1

‎12-12-2019 06:59 AM

Finally, I got an answers: this is documented via https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut96439/?reffering_site=dumpcr

 

------------------------

Symptom:
AnyConnect session fails or becomes stale. The backup servers mentioned in the XML profile are not attempted for fallback connection.

Conditions:
1. AC profile has a backup server list configured
2. AC user successful connects to primary server
3. Primary server is no longer reachable, resulting in a stale connection.
4. AC should eventually try to connect to the backup server without making the user manually disconnect. Currently, the user is forced to manually retry connecting to the primary ASA, which must fail to establish before the backup server list is attempted.

Workaround:
Manually disconnect from the original failing session, then reattempt. (this is the process we need to automate)

------------------------

Go to solution
havy
Level 1
Level 1

‎04-14-2021 03:34 AM

Hi ConstantNSAH8220,
have you found a solution for this problem?
Regards 

0 Helpful

Go to solution
aamadulin.accenture
Level 1
Level 1

‎07-01-2023 01:21 PM

Hi Cisco Folks,

Any comment on this issue, do you have permanent fix for this problem?

0 Helpful

Go to solution
tvotna
Spotlight
Spotlight
In response to aamadulin.accenture

‎07-05-2023 06:44 AM

Believe you or not, this has been discussed since 2010, ASA 8.x and AnyConnect 2.y:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCte15271

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCte15276

The problem here is that primary firewall doesn't share session info with backup nodes, hence transparent reconnect isn't possible if AAA is used (the user would be presented with a login prompt which is undesirable). This feature could have been implemented for cert-only authentication, but this has never been done. So, client will remain in reconnecting state until either a) manual user disconnect b) max connect time c) idle time is reached. Both b) and c) are typically set high on ASA in the group-policy, so users have to disconnect and connect manually.

Same issue exists for VPN load-balancing clusters, but for load-balancing this would be easier to implement, because there is a control protocol between units. In fact, this feature was implemented in IOS / IOS-XE 15.6 for IKEv2 (with some limitations), but not on ASA:

CSCut83969 Xe317: Ikev2 cluster reconnect support

 

 

 

0 Helpful
Customers Also Viewed These Support Documents