Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
695
Views
0
Helpful
3
Replies

FTD - New AnyConnect sessions do not work after Failover

morabusa
Level 1
Level 1

‎04-17-2020 04:31 AM

Hello, 

I am having issues because when the secondary FTD work as active, new remote access connections do not work, I am getting the following message:

"Anyconnect was not able to establish a connection to the specified secure gateway"

After run a debug, I can see the following output:

vpn_put_uauth failed for ip X.X.X.X!
unNot calling vpn_remove_uauth: never added for ip X.X.X.X!
webvpn_svc_np_tear_down: no ACL
webvpn_svc_np_tear_down: no IPv6 ACL

Take in mind that it Remote Access connections work well in the primary FTD but not in the secondary FTD when it acts like Active gateway. Thank you.

Best Regards.

Labels:
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎04-17-2020 05:26 AM

they should have configured statefull switch over, is this only VPN issue or other traffic also failing.

 

here is example config to review :

 

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212699-configure-ftd-high-availability-on-firep.html#anc12

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

morabusa
Level 1
Level 1
In response to balaji.bandi

‎04-17-2020 05:34 AM - edited ‎04-17-2020 05:36 AM

Apparently only new RA VPN sessions fail. Existent sessions continue working without any disruption.

What should I have exactly to check in the document you have shared with me? I am looking the current HA configuration in devices and they look ok and synchronized. Thank you very much for the help.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to morabusa

‎04-17-2020 06:57 AM

depends on how you configured in general RA VPN session should not be dropped

 

RA VPN—Remote access VPN end users do not have to reauthenticate or reconnect the VPN session after a failover. However, applications operating over the VPN connection could lose packets during the failover process and not recover from the packet loss.

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/fdm/fptd-fdm-config-guide-630/fptd-fdm-ha.html#concept_DDE8EA39C8A144A6A0AD3B6D0656F95E

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents