Re: Cisco AnyConnect IPSec/SSL Connection

mikiNet · ‎10-23-2025

Hi Team!

I have a question for you — is it possible to configure AnyConnect to work in the following way:
First, it tries to establish a connection using IPSec, but if it cannot (for example, because the user is at an airport where UDP ports 500/4500 are blocked), and after 2–3 failed attempts, it would then automatically try to establish a connection using SSL?

Or is it necessary to create separate tunnel-groups and group-policies for each connection method?

Ben Weber · ‎11-09-2025

Unfortunately, AFAIK the answer is no. AnyConnect will not fail-over to the SSL VPN if the IPsec tunnel is down or blocked. You have to create separate tunnel-groups for each transport method, which allows users to toggle between tunnel-groups if IKEv2 ports are blocked.

- BW
Please rate posts if they have been helpful.

Aref Alsouqi · ‎11-10-2025

I agree with @Ben Weber, it's been my experience that there is no such a failover from IPsec to SSL, however, there is a failover mechanism with SSL VPN if port 443/udp in not allowed, in that case the SSL VPN will stick with port 443 in TCP. May I ask why would you want to use IPsec rather than SSL?

mikiNet · ‎11-19-2025

Because IPSec has better performance (more fast) rather than SSL

Aref Alsouqi · ‎12-03-2025

I personally never noticed any issue or latency with using SSL VPN that would provide any bad user experience. Secure Connect can be configured to use IPsec. However, a big challenge with using IPsec for the remote users is that it's quite common for the IPsec protocol to be blocked or throttled. I think that is one of the reasons why SSL VPN is recommended for remote users VPN and it's a better candidate compared to IPsec.