03-27-2020 08:00 AM
We recently added a pair of HA ASA's to our internet edge and I now want to seamlessly integrate this new headend into the profiles of existing AC users.
I proceeded to duplicate the profile from the existing ASA and added the two new entries (IPSec and SSL) to the sever list. Now both ASA's have the exact same profile installed for the clients.
This is working for the most part, but I'm not seeing as many clients move over to the new ASA as expected. The new one is at the top of the server list in the updated profile.
Somehow the preferences.xml file is play a role here and hanging on to previous session information.
So my question is, how can I now force users to ignore their preferences and connect to the new default headend ASA?
Thanks.
03-27-2020 08:27 AM
One suggestion if the profile based on DNS FQDN, so put your New ASA DNS Entries as top priority,
03-27-2020 08:36 AM
Yes, my headend ASA's are referenced by FQDN and I already have listed in the profile according to priority, if that's what you mean.
03-27-2020 09:50 AM
Hi,
In order to come up with a functional solution, long term, provide the following information:
- how many ASA's (HA pair is considered 1 ASA) do you totally have and how many AnyConnect Licenses do you have
- does a single ASA support all sessions? Is this what you want or want some kind of balancing of the sessions
- are all ASA's in the same location, geographically speaking, in the same place in the network
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide