Cisco Cisco AnyConnect Secure Mobility Client v2.x Troubleshooting Guide
order to determine if there is an authentication proxy, and if it can handle the request. It is
only after this initial request that it begins the OGS pings in order to probe the server.
only after this initial request that it begins the OGS pings in order to probe the server.
OGS determines the user location based on the network information, such as the Domain
Name System (DNS) suffix and the DNS server IP address. The RTT results, along with this
location, are stored in the OGS cache.
Name System (DNS) suffix and the DNS server IP address. The RTT results, along with this
location, are stored in the OGS cache.
●
these settings user-configurable.
●
OGS is not run again from this location until 14 days after the location entry is first cached.
During this time, it uses the cached entry and the RTTs determined for that location. This
means that when AnyConnect starts again, it does not perform OGS again; instead, it uses
the optimal gateway order in the cache for that location. In the Diagnostic AnyConnect
Reporting Tool (DART) logs, this message is seen:
During this time, it uses the cached entry and the RTTs determined for that location. This
means that when AnyConnect starts again, it does not perform OGS again; instead, it uses
the optimal gateway order in the cache for that location. In the Diagnostic AnyConnect
Reporting Tool (DART) logs, this message is seen:
●
RTT is determined with a TCP exchange to the Secure Sockets Layer (SSL) port of the
gateway to which the user will try to connect as specified by the host entry in the AnyConnect
profile.
gateway to which the user will try to connect as specified by the host entry in the AnyConnect
profile.
Note: Unlike the HTTP-ping, which does a simple HTTP post and then displays the RTT and
the result, OGS computations are slightly more complicated. AnyConnect sends three probes
for each server, and calculates the delay between the HTTP SYN that it sends out and the
FIN/ACK for each of these probes. It then uses the lowest of the deltas in order to compare
the servers and make its selection. So, even though HTTP-pings are a fairly good indication of
which server the AnyConnect will choose, they might not necessarily tally. There is more
information about this in the rest of the document.
the result, OGS computations are slightly more complicated. AnyConnect sends three probes
for each server, and calculates the delay between the HTTP SYN that it sends out and the
FIN/ACK for each of these probes. It then uses the lowest of the deltas in order to compare
the servers and make its selection. So, even though HTTP-pings are a fairly good indication of
which server the AnyConnect will choose, they might not necessarily tally. There is more
information about this in the rest of the document.
●
Currently, OGS only runs the checks if the user comes out of a suspend, and the threshold
has been exceeded. OGS does not connect to a different ASA if the ASA the user is
connected to crashes or becomes unavailable. OGS contacts only the primary servers in the
profile in order to determine the optimal one.
has been exceeded. OGS does not connect to a different ASA if the ASA the user is
connected to crashes or becomes unavailable. OGS contacts only the primary servers in the
profile in order to determine the optimal one.
●
Once the OGS client profile is downloaded, when the user restarts the AnyConnect client, the
option to select other profiles will be grayed out as shown here:
option to select other profiles will be grayed out as shown here:
●