still clear as mud!   And they are mentioning LDAP in the listed link.  I need my local AnyConnect clients to connect to d1vpn.com, if that fails, then go to d2vpn.com.  I am not using IP's but FQDN for my "backup server list" servers' addresses. 

do I need to repeat d1vpn.com in the backup server list if it is defined as the primary fqdn?

Why would I want to use the server backup list over the "backup servers". 

Thanks!

what do most customers use? 

do I need to repeat d1vpn.com in the backup server list if it is defined as the primary fqdn? Why would I want to use the server backup list over the "backup servers". 

what do most customers use? 

thanks 

Hi @tryingtofixit, your primary FQDN should not be in the backup server list.

The 'backup servers' list is global, and applies to all server list entries. The 'backup server list', found in the server list, is specifically for that server list entry. It ignores the global backup server list.

For simplicity, I'd suggest just using the backup server list found in the server list entry.

Here's an example of how it should be configured:

thank you so much for the screen shot.  Next. we are going to migrate vpn users off our old primary to d1vpn.com till we can make the same changes to our old primary now reborn as "d2vpn.com".  Seems to me I should have d2vpn.com as the primary and d1vpn.com as the backup. this way anyconnect will not see a d2vpn.com and connect to d1vpn.com.  once I get d2vpn.com up and going, I can deactivate my profiles on d1vpn.com simulating a failure and clients will have to connect to d2vpn.comn.   Or is there a better way? 

the global backup servers are if you have a lot of vpn headends and dont want to configure backups for each headend. But for 2 headend, mentioning in the host entry is better.

Keep in mind that if you keep d2 as primary and its offline, it can take 30 seconds or more to timeout and then failvoer to backup peer, which is not ideal... i would suggest you change your logical names in the profile primary and backup and point to d1 and d2 (you can change that later when d2 is online).

Also it is perfectly fine to put both d1 and d2 in your profile as separate entries (and each other as backup).. just create logical entries for them d1=primary d2=backup so users can see it.. and also change the profile logical name when things change.

Dont have your config, but you can easily test this for getting a feel by just putting a single user in a different group policy and use this new profile, before rolling it out globally. That way you can test how you can change profile settings and see the impact.

So to clarify, d2vpn.com is primary, d1vpn.com is secondary. You want to have users try to connect to d2vpn.com, and fail to d1vpn.com in the meantime? Once you get d2vpn.com up, users will connect to that FQDN immediately?

That should work, I believe. @ccieexpert has some deeper insight on why it might not be the best option, though.

My main concern is the huge delay 30+ second is the primary headend is not alive until it will switch to backup. that will happen for each connection attempt and each user..

so i would either switch the logical names and point the user to the active unit directly or put both in the drop down list as primary and backup and let users pick one or the other. you can still have backup peers configured for both..