ASA Failover handling of SSL VPN application traffic and configurations


Jun 10, 2009 3:54 AM
Jun 10th, 2009

Note: On the ASA VPN is only supported in Active/Standby mode, and not in Firewall Active/Active mode.

This is is how the ASA handles SSL VPN traffic and components in an Active/Standby configuration:

I. ASA Active/Standby failover handling of SSL VPN application traffic

Q. How does the ASA Active/Standby failover handle SSL VPN application traffic ?

A. The following SSL VPN application traffic is NOT failed-over :

* Smart Tunnels traffic
* Port Forwarding traffic
* Plugins traffic 
* Java Applets traffic 
* IPv6 clientless or AnyConnect sessions traffic 
* Citrix authentication (Citrix users have to re-authenticate after failover) traffic

Note: Currently the ASA guarantees VPN session failover, not necessarity application failover, which depends a great deal of the application redundandy capability itself.

The enhancement request tracking the capability to improve application/persitence in a failover is (CSCsq39156).

II. ASA Active/Standby failover handling of SSL VPN components configurations

Q. How does the ASA Active/Standby failover handle SSL VPN components configuration ?

A. The following SSL VPN component configurations are automatically failed-over :

*Smart-Tunnel lists 
*Port-Forwarding lists
*Imported plugins- stored in hidden webvpn-cache/directory
*Imported BookMarks - stored in hidden webvpn-cache/directory
*ACLs, webACLs
*Imported Webcontent (logos, html content)- stored in hidden webvpn-cache/directory
*Imported customizations 
*Imported Help customization
*xml configs - sdesktop/data.xml for CSD and dap.xml for DAP

For example, if you import a Webcontent logo into the active ASA, the logo is automatically replicated to the standby ASA.

Note: Failover does not replicate the following files:
*1) AnyConnect image(s)
*2) CSD image

For example , if you upgrade the active ASA from AnyConnect version 2.2 to version 2.3, the failover function will not replicate this new AnyConnect 2.3 package. You must manually place the AnyConnect 2.3 package using standard methods (ftp, http, tftp,etc).

Average Rating: 0 (0 ratings)


mdougherty@bogd... Tue, 01/12/2010 - 16:39

Interesting information and good to have.  I have a client whom I have customized the WEB Portal page for their SSL VPN on a pair of 5540 (active/standby).  The active unit is the secondary and none of the customizations have carried over.  Does anyone know how to sync both units when a change is made to the portal?


Login or Register to take actions

This Document

Posted June 10, 2009 at 3:54 AM
Comments:1 Avg. Rating:0
Views:7026 Contributors:1

Related Content

Documents Leaderboard