I have a customer with two separate ASA firewalls, each capable of supporting SSL VPN. The firewalls are not configured in a failover pair, and are not performing VPN load balancing. They are simply used as a primary and secondary VPN device.
What we want is for VPN connections to attempt to connect to the primary device and, if this is not available, try the secondary device. I understand this is easily achieved using a backup server list. However, will the VPN client fail over to the backup server if the primary ASA is available but does not have any available SSL licenses left?
In other words, will the fact that there are no SSL licenses left on the primary ASA be sufficient reason for the client to fail over and try the secondary ASA?