AnyConnect survive failover in Active/Standby mode? - ASA

m.andersson.se · ‎03-29-2023

We have an Active/Standby failover pair with ASA 9.16.(3)19 and Cisco Firepower 1140 just for Cisco AnyConnect.
I have always done upgrade in a maintenance window because 95% of the connected clients via Cisco AnyConnect don´t survivce a manual failover... Today I found some information that AnyConnect sessions should be replicated and work in a failover scenario.
AnyConnect client is till connected after failover but no traffic routed through the VPN-connection of AnyConnect.

Can you please advice me how to handle this issue.
- Should failover be 100% for AnyConnect sessions?
- Related to AnyConnect client version / OS?
- Related to AAA. I´m doing Radius 2FA RSA SecureID authentication?
- Related to config that I missed for?

Strange is that 5 of 100 connected sessions seems to work after failover, RX/TX counters increase, all other sessions says no DTLS-tunnel and TX/RX = 0.

balaji.bandi · ‎03-29-2023

we have plenty of setup with Active/Standby - the Client's traffic move flawlessly, you need to post the config and how your network is connected by creating a small network diagram.

some guidance :

https://www.cisco.com/c/en/us/td/docs/security/asa/asa912/configuration/vpn/asa-912-vpn-config/vpn-ha.html#id_61718

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Sheraz.Salim · ‎03-30-2023

When you have an Active/Standby failover pair with ASA and Firepower for Cisco AnyConnect, the failover should be seamless for AnyConnect sessions. The AnyConnect sessions should be replicated between the Active and Standby units so that if a failover occurs, the AnyConnect sessions can continue without interruption. Therefore, if you are experiencing issues with AnyConnect sessions after a failover, there may be an underlying issue with the configuration or setup.

Here are some things to consider while troubleshoot this issue:

Ensure that the AnyConnect sessions are being replicated between the Active and Standby units: You can verify this by checking the output of the 'show vpn-sessiondb anyconnect' command on both units. The output should show the same information for both units.

Verify the version of the AnyConnect client: Make sure that the AnyConnect client version is compatible with the ASA and Firepower versions. If the client version is not compatible, it may cause issues with the AnyConnect sessions after a failover.

Check the AAA configuration (If this in place) : Make sure that the AAA configuration is correct and that the RSA SecureID authentication is working properly. You can verify this by checking the logs on the RSA server and the ASA.

Verify the failover configuration: Make sure that the failover configuration is correct and that both units are configured to handle AnyConnect sessions properly. You can verify this by checking the failover configuration and the output of the 'show failover' command on both units.

Check for any errors or messages: Check the logs on both units for any errors or messages related to the AnyConnect sessions. This may give you a clue as to what is causing the issue.

Test failover with a small number of clients: If you are still experiencing issues after checking the above, try testing failover with a small number of clients to see if the issue persists. This may help you isolate the issue and determine if it is related to a specific client or group of clients.

please do not forget to rate.

MHM Cisco World · ‎03-30-2023

the status of connection is exchange between the two FW
the DTLS is UDP based
TLS is TCP based
so 5% I think is TCP based and it success because both FW exchange the status of Conn of TCP but not exchange the UDP status
please check this point
also check if the DTLS use same port.

m.andersson.se · ‎04-05-2023

Thanks for information... Seems to be related to DTLS, HTTPS and DTLS use 443 (tcp & udp).
DTLS seems to be default but all working solutions that above users (balaji.band) has been described has changed this parameter? Because Cisco AnyConnect sessions works after a failover. balaji.band - have you disabled DTLS?

https://community.cisco.com/t5/security-knowledge-base/anyconnect-dtls-vs-tls/ta-p/3164027

Can you sync UDP connection in Active/Standby which mean that DTLS can be used?

MHM Cisco World · ‎04-05-2023

sorry I dont get your last reply?
can you more elaborate ?

m.andersson.se · ‎04-05-2023

You said - "So 5% I think is TCP based and it success because both FW exchange the status of conn of TCP but not exchange the UDP status please check this point". According to this link https://www.networkstraining.com/cisco-asa-active-standby-configuration/ "UDP Connection Table" should be synchronized.

I found this on a Cisco post.

Q7. What is the behavior if the ASA fails over from Active to Standby?

A. Initially, when the session is established, the three tunnels (Parent, SSL, and DTLS) are replicated to the Standby Unit; once the ASA fails over, the DTLS and the TLS sessions are reestablished as they are not synced to the standby unit, but any data flows through the tunnels must work without disruption after the AnyConnect session is reestablished.

SSL/DTLS sessions are not stateful, so the SSL state and sequence number are not maintained and can be quite taxing. Thus, those sessions need to be reestablished from scratch, which is done with the Parent session and the session token.

Tip: In the event of a failover event, SSL VPN client sessions are not carried over to the standby device if keepalives are disabled.

Maybe keepalives should be investigated for me as well.

MHM Cisco World · ‎04-05-2023

but if the anyconnect is re-established that meaning t will get new IP and this BLK any traffic.
let me make deep dive in this point