cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1491
Views
5
Helpful
5
Replies

Backup Servers with AnyConnect

Douglas Holmes
Level 1
Level 1

I have been working on setting up backup servers with AnyConnect.  My use case is pretty narrow.  Clients are running AnyConnect for Linux (Debian Wheezy) version anyconnect-linux-4.0.00064-k9.pkg.  Don't try to find it because you want a copy.  This copy was compiled just for me. 

I have configured two ASA devices for use.  One as the primary and the other as a backup.  Both have certificates signed by the same CA.  Client device is configured using a local certificate store.  This is a known working good configuration.  All client connections are from command line.  There is no interaction between a user and AnyConnect.  It is done purely by scripts. 

The script runs for 2 minutes and then rests for 2 minutes.  It does the following:

/etc/init.d/vpnagentd restart

/opt/cisco/anyconnect/bin/vpn connect "device name"

if it fails it then runs

/opt/cisco/anyconnect/bin/vpn disconnect "device name"

/etc/init.d/vpnagentd restart

/opt/cisco/anyconnect/bin/vpn connect "device name"

It will run until a connection is made. 

Now I just want to add a secondary server in the case the primary doesn't respond or is not available.  Of course this is in my lab and not in the real world.  I can test by shutting down the outside interface on the primary for testing. 

I have only modified the AnyConnect Profile to add the secondary server. 

I do not want to run optimal gateway.  I added the following to my AnyConnect Profile.  No other changes were made. 

<BackupServerList>
                        <HostAddress>dornfest.aisrs.local</HostAddress>

</BackupServerList>

and

 <ServerList>
                <HostEntry>
                        <HostName>hunkydory.aisrs.local</HostName>
                        <HostAddress>hunkydory.aisrs.local</HostAddress>
                        <PrimaryProtocol>IPsec
                                <StandardAuthenticationOnly>true
                                        <AuthMethodDuringIKENegotiation></AuthMethodDuringIKENegotiation>
                                </StandardAuthenticationOnly>
                        </PrimaryProtocol>
                </HostEntry>
                <HostEntry>
                        <HostName>dornfest.aisrs.local</HostName>
                        <HostAddress>dornfest.aisrs.local</HostAddress>
                        <PrimaryProtocol>IPsec
                                <StandardAuthenticationOnly>true
                                        <AuthMethodDuringIKENegotiation></AuthMethodDuringIKENegotiation>
                                </StandardAuthenticationOnly>
                        </PrimaryProtocol>
                </HostEntry>
        </ServerList>

When I manually attempt to connect with the primary ASA offline, AnyConnect tries the down server first.  When it fails it then goes to the secondary.  However, I get an AnyConnect error of "Ipsec engine encountered an error".  I do not see any attempts in the ASA logs.  Configuration is attached. 

Any suggestions? 

5 Replies 5

Philip D'Ath
VIP Alumni
VIP Alumni

I think only SSL VPN supports failover, not IKEv2.  Try changing over to using SSL.

My Cisco rep gave me that as a solution.  Unless its supported for IPSEC, then its really not usable for me.  Thanks for your response. 

Try creating one DNS entry with the IP address of both ASA's.  It may round robin around them.  Not what you really wanted, but might fail over better.

I use an /etc/host file entry to control DNS.  In our trusted workstation we don't trust the Internet for anything.  Therefore we don't use any resources there, just a method by which to access the trusted network by tunneling across.  I think my next step is to just configure two connections with two profiles and then write a script to do what I need.  Thank you for your responses. 

I agree.  I think using two separate connection profiles will be the most robust approach.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: