Solved: Redundant AnyConnect Install

changedman · ‎02-27-2018

So we have anyconnect vpn setup on two ASAs using ipsec. One to backup the other.

Problem is users can only connect using ipsec to one ASA at a time using the profile stored on the machine. When the connection is changed to the backup ASA vpn, the client tries to connect to it using ssl which is not allowed on that interface.

How can I make the client use the single profile on users machines which tells it to use ipsec to setup the tunnel for both vpns? From a redundancy point of view, we need users to be able to connect from any of the ASAs.

Any solutions and suggestions will be highly appreciated.

changedman · ‎03-01-2018

Apologies for the last response and thank you for your input.

I finally figured out what the problem was. The ASA associates a profile to a host and both my ASAs were using identically named profile. When the client connects to a host, it saves the connection details in the preferences.xml file. When the client tries to connect to another host, it expects another client profile (which I didn't have) failing which it defaults to trying to negotiate an SSL connection. To solve this, I created different profiles for each ASA and imported both to the client machine. When consultants need to connect to the VPN, they can select whatever ASA and the matching client profile and all works perfectly.

View solution in original post

Ben Walters · ‎02-27-2018

Have you looked at the config on each firewall and confirmed that they are the same?

The AnyConnect profile XML only specifies settings for the client but not the actual method of tunneling, that is determined by the firewall when a user attempts a connection with valid credentials.

I would verify the group policies for the connection profiles and make sure the user trying to connect is part of the correct group where the connection profile would use an IPsec tunnel.

changedman · ‎02-27-2018

Thanks Ben. The configs are not exactly identical but they both work. When the client has successfully connected to one ASA using ipsec, it refuses to negotiate a new connection to the other ASA using thesame profile. From the DART log, I can see a message that reads "no profile available", then it defaults to SSL connection. If you change the vpn client again, it reads the profile just fine. The problem is thesame which ever way I switch the host.

Rahul Govindan · ‎02-27-2018

Could you share a sanitized version of your XML client profiles? Also do both ASA's have the same profile or do they just have the gateway's switched?

changedman · ‎03-01-2018

Apologies for the last response and thank you for your input.

I finally figured out what the problem was. The ASA associates a profile to a host and both my ASAs were using identically named profile. When the client connects to a host, it saves the connection details in the preferences.xml file. When the client tries to connect to another host, it expects another client profile (which I didn't have) failing which it defaults to trying to negotiate an SSL connection. To solve this, I created different profiles for each ASA and imported both to the client machine. When consultants need to connect to the VPN, they can select whatever ASA and the matching client profile and all works perfectly.