I did it manually, same result. Seems there is another cache file or another setting somewhere else.       ... View more

Correct, We have to create the CSR file from each MX. ... View more

Since we need to create CSR file from MX then we cannot just purchase a SAN cert for all of our 8 MX . We need to buy SSL cert for each MX.  ... View more

Totally agree with custom certificate and renewing it.....   But when I enable Optimal Gateway Selection feature, there is a cache problem with that.   Scenario: We have VPN A VPN B VPN C VPN D   When users want to connect with AnyConnect, OGS calculate RTT by sending request to http port 443 and choose the best result. Think we have RTT VPN A 233 RTT VPN B 134 RTT VPB C 335 RTTVPN D 421   It will automatically connect the user to VPN B and cache it for some days, so next time OGS doesn't calculate again and client has to connect to previous VPN!   I have users in Canada connect to VPN UK by OGS but they can manually(disable Automatic VPN) connect to Canada without any problem. It can be a request time out causing it but AnyConnect cache will continue connect users to UK for several days.     So we can not use DNS load balance with dynamic certs, we cannot use AnyConnect profile with OGs enabled because of cache issue. The only solution is to purchase SSL certs for every MX and renew it every year which is expensive for us with 8 MX(main and spare). ... View more

Well, Dynamic certs work but when I want to use DNS load balance like Azure traffic manager, clients get warning error message.    ... View more

yes, correct but 14 days cache is not acceptable, I think.  Think if there is just one PL and AnyConnect ignore that VPN server, so the client connects to another VPN server which is not enough close and must run with lower speed/performance for 14 days. ... View more

But it's impossible to run with Dynamic cert and Azure traffic manager, you need to run with custom certificates and purchase SSL certificates for each MX/VPN. ... View more

After several attempts it works now but OGS doesn't recognize one of VPN servers.   We have 4 VPN servers but I can see just 3 servers in logs:   I've tried to troubleshoot it then found we have packet loss when I'm pinging the WAN. It means AnyConnect try to calculate RTT by sending the requests to each VPN servers but since we have PL on one one them ,AnyConnect just ignoring it and using it's cache for the next time. But When I try to connect it manually(disable OGS) it works fine!   The question is, can w just disable that cache somehow?   ... View more

.   ... View more

I'm in Sweden and I have UK and SE VPN in my list  but it selects UK!   I'm a little confusing with backup servers setting in profile editor.   I can add backup servers under Server list and there is separately another Backup servers menu. I assume the issue is there!   ... View more

I understand but using profile doesn't help my scenario.  Since I've four MXs on four different countries with users  who are traveling a lot ,I am using Azure traffic manager(DNS load balance) to select  the nearest MX.   Dynamic cert doesn't work with my load balance name and users get trust warning message which is not a good sign for them.   I've also created different profiles with AnyConnect profile editor and tried to enable OGC but it doesn't work as it. It just select the first VPN in the list.   That's why I am thinking about custom certificates. ... View more