Dear engineers,
I set up a Cisco 5525-X failover cluster with ASA 9.1(4) for a customer which worked flawlessly. The customer also ordered SSLVPN connectivity via AnyConnect client. The login on either box (whichever is primary at this moment) is successful.
The problem appears during and after failover. I thought that the ASA is able to keep the SSLVPN client connections active and that they move to the failover peer because the log entry on the standby unit looks like this.
Dec 18 2013 11:24:09: %ASA-6-721016: (WebVPN-Secondary) WebVPN session for client user test, IP 199.199.199.200 has been created.
When the client is connected to the primary active unit and I provoke a failover trough disconnecting the LAN or INTERNET link, the failover takes place but the AnyConnect client loses the connection and the user has to reestablish the connection manually.
Primary Unit:
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/7
failover mac address GigabitEthernet0/0 0200.0c07.ac00 0200.0c07.ac01
failover mac address GigabitEthernet0/1 0200.0c07.ac10 0200.0c07.ac11
failover mac address Management0/0 0200.0c07.ac80 0200.0c07.ac81
failover link FAILOVER GigabitEthernet0/7
failover interface ip FAILOVER 10.255.255.253 255.255.255.252 standby 10.255.255.254
Secondary Unit:
failover
failover lan unit secondary
failover lan interface FAILOVER GigabitEthernet0/7
failover mac address GigabitEthernet0/0 0200.0c07.ac00 0200.0c07.ac01
failover mac address GigabitEthernet0/1 0200.0c07.ac10 0200.0c07.ac11
failover mac address Management0/0 0200.0c07.ac80 0200.0c07.ac81
failover link FAILOVER GigabitEthernet0/7
failover interface ip FAILOVER 10.255.255.253 255.255.255.252 standby 10.255.255.254
The ASA cluster has a 250 Premium User SSLVPN license and also an AnyConnect Mobile license.
Your inputs are really appreciated.
Thanks a lot
Florian
Accepted Solutions
