Meraki

Community

AnyConnect Load Sharing... vMX (Azure)

Solved
ToryDav
Building a reputation
‎Oct 24 2022 9:02 PM
‎Oct 24 2022 9:02 PM

AnyConnect Load Sharing... vMX (Azure)

Hi!

I am working on this setup and would like to know what other peoples experience is with this setup.

All users will connect to their respective Primary Servers. When a Primary Server fails, the AnyConnect Client will automatically connect them to the Backup Server. Credentials will be required from the user to complete authentication to the Backup Server.

Reference -> https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Failover_an...

The issue I have with this is, while I can connect to the backup server listed in the profile after about 1-2 minutes, this doesn't happen automatically. The client receives an administrator reset message and then has to click to connect.

My question is.. 

What is your experience in terms of the above expected behavior? 

Labels:
0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 25 2022 12:46 AM
‎Oct 25 2022 12:46 AM

I suspect it is not being detected as a failure -  but as a planned disconnect.  Simply shutting down a VMX will cause a planned disconnect and the client is not likely to failover.

How are you creating the test failover case?

 

Another option you could consider using is OGS (Optimal Gateway Selection).  This causes AnyConnect to use the fastest responding VPN terminator to the user.

This is an option you can configure in the AnyConnect profile.  You can also configure a backup server for each of the servers configured as well.

 

https://community.cisco.com/t5/security-knowledge-base/anyconnect-optimal-gateway-selection-operatio... 

View solution in original post

0 Kudos
4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 25 2022 12:46 AM
‎Oct 25 2022 12:46 AM

I suspect it is not being detected as a failure -  but as a planned disconnect.  Simply shutting down a VMX will cause a planned disconnect and the client is not likely to failover.

How are you creating the test failover case?

 

Another option you could consider using is OGS (Optimal Gateway Selection).  This causes AnyConnect to use the fastest responding VPN terminator to the user.

This is an option you can configure in the AnyConnect profile.  You can also configure a backup server for each of the servers configured as well.

 

https://community.cisco.com/t5/security-knowledge-base/anyconnect-optimal-gateway-selection-operatio... 

0 Kudos
In response to PhilipDAth
ToryDav
Building a reputation
‎Oct 25 2022 2:08 PM
‎Oct 25 2022 2:08 PM

I was shutting the VM down or rebooting it from within Meraki Tools. How can I test failover then? 

I like the OGS feature you mentioned, however part of this is that we want to distribute users more evenly until Azure gets a vMX large and we can overcome the Medium session limitations. 

0 Kudos
In response to ToryDav
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 25 2022 2:10 PM
‎Oct 25 2022 2:10 PM

>I was shutting the VM down or rebooting it from within Meraki Tools. How can I test failover then? 

 

Create a firewall rule to block the traffic, or power off (not shutdown) the VM.

In response to PhilipDAth
ToryDav
Building a reputation
‎Oct 27 2022 7:25 AM
‎Oct 27 2022 7:25 AM

Just to confirm - Hit the STOP button in Azure?

ToryDav_0-1666880676891.png


That's how I was testing. 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.