DescriptionCisco ASA VPN clients are unable to access the captive portal pages after an appliance failover in L3 High Availability.
In a L3 High Availability configuration,
three DNS entries are required:
- Production DNS
- Primary Server VPN
interface
- Secondary Server VPN interface
As of this writing, the ASA only supports
two entries for DNS. Consequently, when a failover occurs in L3 High Availability, the isolated VPN endpoint will be unable to resolve DNS until control is resumed to the Primary Server.
For more information on the DNS configuration, refer to Cisco ASA documentation.
Solution
Workaround:
1. In the ASA, change the DNS server entry from the Primary Server VPN interface IP address to the Secondary Server VPN interface. The ASA will then provide the correct DNS server IP to
isolated endpoints, allowing the captive portal pages to be delivered.
2. Once the Primary Server has resumed control, change the DNS entry in the ASA back to the Primary Server VPN interface.