Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
476
Views
0
Helpful
4
Replies

When Anyconnect premium connections exceeded, will AC client move to next server?

dmooreami
Level 3
Level 3

‎03-16-2020 08:21 AM

We have AnyConnect premium which is limited to 100 concurrent users.

 

When the 101 user tries to connect will the Anyconnect CLIENT (mac or pc) be rejected and move on to the next AnyConnect Server list on the client?I know that if an Anyconnect server or service  is down, the A/C client will auto-redirect to the next one.

 

Is this the case with you exceed licensed users?

 

Labels:
0 Helpful
4 Replies 4

Cristian Matei
VIP Alumni
VIP Alumni

‎03-16-2020 10:33 AM

Hi,

 

    Never ran into this exact setup (new sessions coming in when the number of max sessions has been reached), but i would say that in this case, because it will receive a "Reject" from the ASA, it will not try a backup server; a backup server is, technically speaking, tried when the primary VPN gateway is not alive, does not respond.

    What you can do is configure 100 users to have the primary ASA to be ASA1, and fallback ASA2, and the other users to have primary ASA to be ASA2, and fallback ASA1.

 

Regards,

Cristian Matei.

0 Helpful

dmooreami
Level 3
Level 3
In response to Cristian Matei

‎03-16-2020 11:08 AM

I spoke with a CCIE Security.

He said that connection 101 will be rejected, and the A/C will move down to the next VPN server
0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to dmooreami

‎03-16-2020 12:03 PM

Hi,

 

   Test it out.

 

Regards,

Cristian Matei.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to dmooreami

‎03-17-2020 09:19 AM

He was wrong. :)

A responsive server without any available license will fail as @Cristian Matei noted. There is no mechanism to move to the next server in the available connection profile as long as the first server is responding.

That said, if the licenses are AnyConnect 4.x type the server will allocate sessions up to the maximum allowed on the platform, no matter how many were purchased. It is up to the admin to ensure they are compliant with the purchased number of licenses (per unique user).

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents