Cisco Cisco AnyConnect Secure Mobility Client v2.x Troubleshooting Guide
Contents
Introduction
How does OGS work?
OGS Cache
Location Determination
Failure Scenarios
When Connectivity to the Gateway is Lost
Resume After a Suspend
TCP Delayed-ACK Window Size Selects Incorrect Gateway
Typical User Example
Troubleshoot OGS
Step 1. Clear the OGS Cache in Order to Force a Reevaluation
Step 2. Capture the Server Probes During the Connection Attempt
Step 3. Verify the Gateway Selected by OGS
Step 4. Validate the OGS Calculations Run by AnyConnect
Analysis
Q&A
Introduction
This document describes how to troubleshoot issues with Optimal Gateway Selection (OGS). OGS
is a feature that can be used in order to determine which gateway has the lowest Round Trip Time
(RTT) and connect to that gateway. One can use the OGS feature in order to minimize latency for
Internet traffic without user intervention. With OGS, Cisco AnyConnect Secure Mobility Client
(AnyConnect) identifies and selects which secure gateway is best for connection or reconnection.
OGS begins upon first connection or upon a reconnection at least four hours after the previous
disconnection. More information can be found in the
is a feature that can be used in order to determine which gateway has the lowest Round Trip Time
(RTT) and connect to that gateway. One can use the OGS feature in order to minimize latency for
Internet traffic without user intervention. With OGS, Cisco AnyConnect Secure Mobility Client
(AnyConnect) identifies and selects which secure gateway is best for connection or reconnection.
OGS begins upon first connection or upon a reconnection at least four hours after the previous
disconnection. More information can be found in the
.
Tip: OGS works best with the latest AnyConnect client and ASA software Version 9.1(3)
*
or
later.
How does OGS work?
A simple Internet Control Message Protocol (ICMP) ping request does not work because many
Cisco Adaptive Security Appliance (ASA) firewalls are configured to block ICMP packets in order
to prevent discovery. Instead, the client sends three HTTP/443 requests to each headend that
appears in a merge of all profiles. These HTTP probes are referred to as OGS pings in the logs,
but, as explained earlier, they are not ICMP pings. In order to ensure that a (re)connection does
not take too long, OGS selects the previous gateway by default if it does not receive any OGS
ping results within seven seconds. (Look for OGS ping results in the log.)
Cisco Adaptive Security Appliance (ASA) firewalls are configured to block ICMP packets in order
to prevent discovery. Instead, the client sends three HTTP/443 requests to each headend that
appears in a merge of all profiles. These HTTP probes are referred to as OGS pings in the logs,
but, as explained earlier, they are not ICMP pings. In order to ensure that a (re)connection does
not take too long, OGS selects the previous gateway by default if it does not receive any OGS
ping results within seven seconds. (Look for OGS ping results in the log.)
Note: AnyConnect should send an HTTP request to 443, because the response itself is
important, not a successful response. Unfortunately, the fix for proxy handling sends all
requests as HTTPS. See Cisco bug ID
important, not a successful response. Unfortunately, the fix for proxy handling sends all
requests as HTTPS. See Cisco bug ID
- OGS should ping with HTTP requests.
Note: If there are no headends in the cache, AnyConnect first sends one HTTP request in