Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
458
Views
0
Helpful
3
Replies

Connecting to backup server fails because of default tunnel group

mcgiga
Level 1
Level 1

‎10-02-2024 09:49 AM - edited ‎10-02-2024 09:55 AM

Hi,

I have configured anyconnect vpn, connecting to the primary ISP is working. In the profile xml I have two backup ISP connections in case the primary/secondary is not available.

When connecting to the secondary ISP the connection is blocked because of a wrong tunnel group. It's always falling backup to the default group. The primary ISP connection has a tunnel group associated in the profile xml. Backup servers don't have that entry.

Logging shows:

 

1 AAA user authentication Successful : local database : user = test
2 AAA group policy for user test is being set to RAVPN1
3 AAA retrieved user specific group policy (RAVPN1) for user = test
4 AAA retrieved default group policy (DfltGrpPolicy) for user = test
5 AAA transaction status ACCEPT : user = test
6 Group <RAVPN1> User <test> IP <10.10.10.10> Terminating the VPN connection attempt from <DefaultWEBVPNGroup> . Reason: This connection is group locked to <RAVPN1>.

 

 Why is that happening and how can I force RAVPN1 tunnel group to be used on the backup servers?

Labels:
0 Helpful
3 Replies 3

mcgiga
Level 1
Level 1

‎10-02-2024 12:15 PM - edited ‎10-02-2024 12:16 PM

I have found this bug: CSCvv95822 : Bug Search Tool (cisco.com)

It reads like my problem. Unfortunately the suggested workaround (2. reconfigure XML profile and extended fqdn of backup servers by adding tunnel group name) doesn't work. I have added the tunnel group behind the fqdn, i. e. vpn.hostname.com/RAVPN1.

Maybe I am doing it wrong or something else.

0 Helpful

Rob Ingram
VIP
VIP

‎10-02-2024 01:10 PM

@mcgiga seems like you have a tunnel group lock in place, restricting connections.

https://www.cisco.com/c/en/us/support/docs/security/ios-easy-vpn/117634-configure-asa-00.html#anc5

For backup VPN, configure the anyconnect/secure client XML profile with a backup server using a FQDN which resolves to the backup ISP IP address, use the group-url functionality under the tunnel-group to point to the backup FQDN.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html#MAINTASK2

 

0 Helpful

mcgiga
Level 1
Level 1

‎10-02-2024 01:34 PM - edited ‎10-02-2024 01:41 PM

Yes there is a tunnel group lock active. When I remove it the backup vpn connection still falls to the default tunnel group but is denied (expected behavior).

I already tried to insert the group-url in the tunnel-group for vpn1, vpn2 and vpn3 fqdn but the issue didn't change.

1.PNG

0 Helpful
Customers Also Viewed These Support Documents