Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff

Created on ‎05-20-2020 09:16 AM

Article Id 190423

Technical Note: Cisco VPN clients unable to access captive portal after failover

Description
Cisco ASA VPN clients are unable to access the captive portal pages after an appliance failover in L3 High Availability.

In a L3 High Availability configuration, three DNS entries are required:
  • Production DNS
  • Primary Server VPN interface
  • Secondary Server VPN interface

As of this writing, the ASA only supports two entries for DNS.  Consequently, when a failover occurs in L3 High Availability, the isolated VPN endpoint will be unable to resolve DNS until control is resumed to the Primary Server. 

For more information on the DNS configuration, refer to Cisco ASA documentation.

Solution

Workaround:

1. In the ASA, change the DNS server entry from the Primary Server VPN interface IP address to the Secondary Server VPN interface.  The ASA will then provide the correct DNS server IP to isolated endpoints, allowing the captive portal pages to be delivered.

2. Once the Primary Server has resumed control, change the DNS entry in the ASA back to the Primary Server VPN interface.



Labels:
248
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.