FTD - New AnyConnect sessions do not work after Failover

morabusa · ‎04-17-2020

Hello,

I am having issues because when the secondary FTD work as active, new remote access connections do not work, I am getting the following message:

"Anyconnect was not able to establish a connection to the specified secure gateway"

After run a debug, I can see the following output:

vpn_put_uauth failed for ip X.X.X.X!
unNot calling vpn_remove_uauth: never added for ip X.X.X.X!
webvpn_svc_np_tear_down: no ACL
webvpn_svc_np_tear_down: no IPv6 ACL

Take in mind that it Remote Access connections work well in the primary FTD but not in the secondary FTD when it acts like Active gateway. Thank you.

Best Regards.

balaji.bandi · ‎04-17-2020

they should have configured statefull switch over, is this only VPN issue or other traffic also failing.

here is example config to review :

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212699-configure-ftd-high-availability-on-firep.html#anc12

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

morabusa · ‎04-17-2020

Apparently only new RA VPN sessions fail. Existent sessions continue working without any disruption.

What should I have exactly to check in the document you have shared with me? I am looking the current HA configuration in devices and they look ok and synchronized. Thank you very much for the help.

balaji.bandi · ‎04-17-2020

depends on how you configured in general RA VPN session should not be dropped

RA VPN—Remote access VPN end users do not have to reauthenticate or reconnect the VPN session after a failover. However, applications operating over the VPN connection could lose packets during the failover process and not recover from the packet loss.

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/fdm/fptd-fdm-config-guide-630/fptd-fdm-ha.html#concept_DDE8EA39C8A144A6A0AD3B6D0656F95E

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help