Note: On the ASA VPN is only supported in Active/Standby mode, and not in Firewall Active/Active mode.
This is is how the ASA handles SSL VPN traffic and components in an Active/Standby configuration:
I. ASA Active/Standby failover handling of SSL VPN application traffic
Q. How does the ASA Active/Standby failover handle SSL VPN application traffic ?
A. The following SSL VPN application traffic is NOT failed-over :
* Smart Tunnels traffic * Port Forwarding traffic * Plugins traffic * Java Applets traffic * IPv6 clientless or AnyConnect sessions traffic * Citrix authentication (Citrix users have to re-authenticate after failover) traffic
Note: Currently the ASA guarantees VPN session failover, not necessarity application failover, which depends a great deal of the application redundandy capability itself.
The enhancement request tracking the capability to improve application/persitence in a failover is (CSCsq39156).
II. ASA Active/Standby failover handling of SSL VPN components configurations
Q. How does the ASA Active/Standby failover handle SSL VPN components configuration ?
A. The following SSL VPN component configurations are automatically failed-over :
*Smart-Tunnel lists *Port-Forwarding lists *Imported plugins- stored in hidden webvpn-cache/directory *Imported BookMarks - stored in hidden webvpn-cache/directory *ACLs, webACLs *Imported Webcontent (logos, html content)- stored in hidden webvpn-cache/directory *Imported customizations *Imported Help customization *xml configs - sdesktop/data.xml for CSD and dap.xml for DAP
For example, if you import a Webcontent logo into the active ASA, the logo is automatically replicated to the standby ASA.
Note: Failover does not replicate the following files: *1) AnyConnect image(s) *2) CSD image
For example , if you upgrade the active ASA from AnyConnect version 2.2 to version 2.3, the failover function will not replicate this new AnyConnect 2.3 package. You must manually place the AnyConnect 2.3 package using standard methods (ftp, http, tftp,etc).