Anyconnect VPN Users Connecting to Secondary ASA

vanzwick@gmail.com · ‎12-20-2024

I have a pair of ASA 5515's in HA (active/standby) running 9.14. Over the last few days, some Anyconnect users are finding themselves connected to the standby device which, of course, breaks their actual access to internal resources. There have been no failover events for the past 7 days (which was due to some cabling work). The IP/domain name used for the Anyconnect connection is correct and is assigned to the primary unit. I've gone through logs and on the standby unit I see the following entries for one of the users this has happened to:
Dec 18 2024 09:54:30: %ASA-6-721018: (WebVPN-Secondary) WebVPN session for client user xxxxxxx has been deleted.
Dec 18 2024 11:05:10: %ASA-7-720042: (VPN-Secondary) Receiving Create WebVPN Session message user xxxxxx from active unit
Dec 18 2024 11:05:10: %ASA-6-721016: (WebVPN-Secondary) WebVPN session for client user xxxxxx has been created.
Dec 18 2024 17:26:51: %ASA-7-720042: (VPN-Secondary) Receiving Delete WebVPN Session message user xxxxxx from active unit

Anyone have any ideas?

balaji.bandi · ‎12-20-2024

Connecting to the secondary unit doesn't work, so post-show failover, show failover history, show failover state

and look at the error codes.

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs8.html#con_4868707

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ccieexpert · ‎12-20-2024

These messages may be confusing.. but it is clearly showing this is a session sync from active to standby unit: Dec 18 2024 11:05:10: %ASA-7-720042: (VPN-Secondary) Receiving Create WebVPN Session message user xxxxxx from active unit

like other poster, i would check the failover status and history, and also syslogs during the duration from both active and standby.. If you really want to be sure that standby unit is receiving then take a packet capture and that will really show if packets arrived on standby.. both units share a single virtual mac.. so unless there was a failover it will never go to a standby unit.. if even if there was a momentary failover, and still traffic should go to only the current acive unit... how did you verify that the traffic is really going to the other unit ? your logs... this is a rather complex issue if it is really happening.. you may want to open a tac case if you have active support

**Please rate as helpful if this was useful**

vanzwick@gmail.com · ‎12-24-2024

Here is the failover state and history (from the secondary's perspective, the primary's history matches that of the secondary):

/sec/stby# sho failover state

State Last Failure Reason Date/Time
This host - Secondary
Standby Ready Ifc Failure 14:05:07 PST Dec 9 2024
Other host - Primary
Active Comm Failure 11:55:55 PST Dec 13 2024

====Configuration State===
Sync Done
Sync Done - STANDBY
====Communication State===
Mac set

sec/stby# show failover history
==========================================================================
From State To State Reason
==========================================================================
23:18:41 PST Dec 7 2024
Cold Standby Sync Config Detected an Active mate

23:18:54 PST Dec 7 2024
Sync Config Sync File System Detected an Active mate

23:18:54 PST Dec 7 2024
Sync File System Bulk Sync Detected an Active mate

23:19:10 PST Dec 7 2024
Bulk Sync Standby Ready Detected an Active mate

23:36:32 PST Dec 7 2024
Standby Ready Failed Interface check
This host:1
single_vf: INSIDE
Other host:0

23:52:37 PST Dec 7 2024
Failed Standby Ready Interface check
This host:1
single_vf: INSIDE
Other host:1
single_vf: INSIDE

02:47:17 PST Dec 8 2024
Standby Ready Just Active Other unit wants me Active

02:47:17 PST Dec 8 2024
Just Active Active Drain Other unit wants me Active

02:47:17 PST Dec 8 2024
Active Drain Active Applying Config Other unit wants me Active

02:47:17 PST Dec 8 2024
Active Applying Config Active Config Applied Other unit wants me Active

02:47:17 PST Dec 8 2024
Active Config Applied Active Other unit wants me Active

03:02:33 PST Dec 8 2024
Active Standby Ready Other unit wants me Standby

14:05:07 PST Dec 9 2024
Standby Ready Failed Interface check
This host:1
single_vf: OUTSIDE
Other host:0

14:12:12 PST Dec 9 2024
Failed Standby Ready Interface check
This host:0
Other host:0

11:52:13 PST Dec 13 2024
Standby Ready Just Active Set by the config command

11:52:13 PST Dec 13 2024
Just Active Active Drain Set by the config command

11:52:13 PST Dec 13 2024
Active Drain Active Applying Config Set by the config command

11:52:13 PST Dec 13 2024
Active Applying Config Active Config Applied Set by the config command

11:52:13 PST Dec 13 2024
Active Config Applied Active Set by the config command

12:00:27 PST Dec 13 2024
Active Standby Ready Other unit wants me Standby

When the problem happens for people, they show connected to the standby ASA via show vpn-sessiondb anyconnect but not on the primary ASA.

MHM Cisco World · ‎12-24-2024

the Log have timestamp 18 Dec and the history dont show anything in that date and time.
so it not relate to status of HA, but let me check something
I will send you PM about it

MHM

vanzwick@gmail.com · ‎12-30-2024

Some additional information. When this occurs, the user has an active session on the secondary unit but not the primary. When trying to log off the session the secondary indicates that can only be done from the primary (as it should). When the log off is attempted from the primary, it indicates the session is invalid. I've tried rebooting the pair but the problem continues.