02-23-2016 08:16 AM - edited 02-21-2020 08:41 PM
I have been working on setting up backup servers with AnyConnect. My use case is pretty narrow. Clients are running AnyConnect for Linux (Debian Wheezy) version anyconnect-linux-4.0.00064-k9.pkg. Don't try to find it because you want a copy. This copy was compiled just for me.
I have configured two ASA devices for use. One as the primary and the other as a backup. Both have certificates signed by the same CA. Client device is configured using a local certificate store. This is a known working good configuration. All client connections are from command line. There is no interaction between a user and AnyConnect. It is done purely by scripts.
The script runs for 2 minutes and then rests for 2 minutes. It does the following:
/etc/init.d/vpnagentd restart
/opt/cisco/anyconnect/bin/vpn connect "device name"
if it fails it then runs
/opt/cisco/anyconnect/bin/vpn disconnect "device name"
/etc/init.d/vpnagentd restart
/opt/cisco/anyconnect/bin/vpn connect "device name"
It will run until a connection is made.
Now I just want to add a secondary server in the case the primary doesn't respond or is not available. Of course this is in my lab and not in the real world. I can test by shutting down the outside interface on the primary for testing.
I have only modified the AnyConnect Profile to add the secondary server.
I do not want to run optimal gateway. I added the following to my AnyConnect Profile. No other changes were made.
<BackupServerList>
<HostAddress>dornfest.aisrs.local</HostAddress>
</BackupServerList>
and
<ServerList>
<HostEntry>
<HostName>hunkydory.aisrs.local</HostName>
<HostAddress>hunkydory.aisrs.local</HostAddress>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>true
<AuthMethodDuringIKENegotiation></AuthMethodDuringIKENegotiation>
</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>
<HostEntry>
<HostName>dornfest.aisrs.local</HostName>
<HostAddress>dornfest.aisrs.local</HostAddress>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>true
<AuthMethodDuringIKENegotiation></AuthMethodDuringIKENegotiation>
</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>
</ServerList>
When I manually attempt to connect with the primary ASA offline, AnyConnect tries the down server first. When it fails it then goes to the secondary. However, I get an AnyConnect error of "Ipsec engine encountered an error". I do not see any attempts in the ASA logs. Configuration is attached.
Any suggestions?
02-23-2016 12:22 PM
I think only SSL VPN supports failover, not IKEv2. Try changing over to using SSL.
02-23-2016 03:30 PM
My Cisco rep gave me that as a solution. Unless its supported for IPSEC, then its really not usable for me. Thanks for your response.
02-23-2016 06:17 PM
Try creating one DNS entry with the IP address of both ASA's. It may round robin around them. Not what you really wanted, but might fail over better.
02-24-2016 03:01 AM
I use an /etc/host file entry to control DNS. In our trusted workstation we don't trust the Internet for anything. Therefore we don't use any resources there, just a method by which to access the trusted network by tunneling across. I think my next step is to just configure two connections with two profiles and then write a script to do what I need. Thank you for your responses.
02-24-2016 10:38 AM
I agree. I think using two separate connection profiles will be the most robust approach.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide