Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
22297
Views
5
Helpful
6
Replies

ASA and AnyConnect - Automatically Select Best Server

Go to solution
Mark H
Level 1
Level 1

‎05-28-2014 10:40 PM - edited ‎02-21-2020 07:39 PM

If I have two servers in different regions, is it possible to have the AnyConnect client connect to the server it has the least latency too?

I'm sure I have seen a reference to this before but I am struggling to find any documentation on it. For example, I have an ASA in Europe and another ASA in North America. I would like for the AnyConnect client to automatically determine which server it has the smallest response time too and use that to connect too.

I would appreciate if someone can point me in the right direction.

Thanks,

Mark

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
JIM JESCHKE
Level 1
Level 1

‎06-02-2014 09:06 AM

Go to the VPN Preferences tab in the AnyConnect client settings and check the box for "Enable automatic VPN server selection".  This should get you what you are asking for.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
SANTHOSHKUMAR SARAVANAN
Level 4
Level 4

‎05-28-2014 11:42 PM

Hi Mark,

         No such features is available in any connect , which can determine automatically the head server based on Latency response , You can define only Back up server , in case your primary head end fails , it initiates connection to secondary head end server 

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect24/administration/guide/anyconnectadmin24/ac03features.html#wp1089961

 

Configuring Backup Server List Parameters

You can configure a list of backup servers the client uses in case the user-selected server fails. These servers are specified in the AnyConnect client profile, in the ClientInitialization section. In some cases, the BackupServerList might specify host specific overrides.

These parameters do not have default values; that is, if you do not specify a parameter, it is simply not in effect. Table 3-16 lists these parameters and defines their possible values.

Note Include the BackupServerList section in a profile only if you want to specify backup servers.

 

Table 3-16 Backup Server Parameters 

Name
Possible Values
Description
Examples

BackupServerList

 
n/a

Group identifier

 
<BackupServerList>...</BackupServerList>

HostAddress

 
An IP address or a 
Full-Qualified 
Domain Name (FQDN)

Specifies a host address to include in the backup server list.

 
<BackupServerList>

   <HostAddress>bos</HostAddress> 
   
<HostAddress>bos.example.com</HostAddress>

</BackupServerList>

 

22. Q. Does AnyConnect support hunting for different VPN headends (Backup Servers) if one fails?

A. Yes. It's called BackupServerList option in profile (CSCsj88360). Update your AnyConnect profile with the following entries and push it down to the clients from the ASA group-policy.

 

<ServerList>

 

<HostEntry>

 

<HostName>Primary Server</HostName>

 

<HostAddress>x.x.x.x</HostAddress>

 

<BackupServerList>

 

<HostAddress>y.y.y.y</HostAddress>

 

</BackupServerList>

 

</HostEntry>

 

</ServerList>

 

HTH

Sandy

0 Helpful

Go to solution
JIM JESCHKE
Level 1
Level 1

‎06-02-2014 09:06 AM

Go to the VPN Preferences tab in the AnyConnect client settings and check the box for "Enable automatic VPN server selection".  This should get you what you are asking for.

0 Helpful

Go to solution
Mark H
Level 1
Level 1
In response to JIM JESCHKE

‎06-02-2014 03:36 PM

Perfect, thanks!

0 Helpful

Go to solution
Silvanoshi
Level 1
Level 1
In response to JIM JESCHKE

‎06-06-2019 09:11 AM

Is there any way to have that rolled out in the Profile?  I just went through a migration, and part of that was to upgrade the clients.  When a user was upgraded, and "Quit" the application to re-open it (Apply the downloaded profile), the box was checked to "Enable automatic VPN server selection".  This is not an issue for tech savvy individuals, but the standard user does not tend to look around for answers.  I was looking through the Profile editor and I do not see anywhere to configure that.  I am using version 4.7.02036, and the matching profile editor.  Thanks in advance.

 

-Robert

0 Helpful

Go to solution
Silvanoshi
Level 1
Level 1
In response to Silvanoshi

‎06-06-2019 09:39 AM

Never mind, I figured it out.
In the profile I just edited it to show the following:
<EnableAutomaticServerSelection UserControllable="false">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>

Go to solution
Garry Cross
Level 1
Level 1
In response to JIM JESCHKE

‎04-27-2022 12:14 PM

In the case of 4.9.06037 and onward I suspect, it is called Enable Optimal Gateway Selection, and still maps to EnableAutomaticServerSelection in the vpn profile xml file.

I do not know the version of Profile Editor where they changed this.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents