- Cisco Employee,
Note: On the ASA VPN is only supported in Active/Standby mode, and not in Firewall Active/Active mode.
This is is how the ASA handles SSL VPN traffic and components in an Active/Standby configuration:
I. ASA Active/Standby failover handling of SSL VPN application traffic
Q. How does the ASA Active/Standby failover handle SSL VPN application traffic ?
A. The following SSL VPN application traffic is NOT failed-over :
* Smart Tunnels traffic * Port Forwarding traffic * Plugins traffic * Java Applets traffic * IPv6 clientless or AnyConnect sessions traffic * Citrix authentication (Citrix users have to re-authenticate after failover) traffic
Note: Currently the ASA guarantees VPN session failover, not necessarity application failover, which depends a great deal of the application redundandy capability itself.
The enhancement request tracking the capability to improve application/persitence in a failover is (CSCsq39156).
II. ASA Active/Standby failover handling of SSL VPN components configurations
Q. How does the ASA Active/Standby failover handle SSL VPN components configuration ?
A. The following SSL VPN component configurations are automatically failed-over :
*Smart-Tunnel lists *Port-Forwarding lists *Imported plugins- stored in hidden webvpn-cache/directory *Imported BookMarks - stored in hidden webvpn-cache/directory *ACLs, webACLs *Imported Webcontent (logos, html content)- stored in hidden webvpn-cache/directory *Imported customizations *Imported Help customization *xml configs - sdesktop/data.xml for CSD and dap.xml for DAP
For example, if you import a Webcontent logo into the active ASA, the logo is automatically replicated to the standby ASA.
Note: Failover does not replicate the following files: *1) AnyConnect image(s) *2) CSD image
For example , if you upgrade the active ASA from AnyConnect version 2.2 to version 2.3, the failover function will not replicate this new AnyConnect 2.3 package. You must manually place the AnyConnect 2.3 package using standard methods (ftp, http, tftp,etc).
User's client has ASA 5520 config for active/standby. Can user use the management interface as statefull failover on both ASA? They are using Lan Failover link and they have dedicated interface for it. Rest all other interfaces are used up except the management interface
His question is can he config the stateful link also on Lan failover interface?
Can he use same physical interface for both Lan and statefull failover?
If he had some free port in both firewalls and if he could config stateful failover link on that physical port will it cause any outage in the environment.
Can he use the management interface as statefull failover on both ASA?
Q: Can user config the stateful link also on Lan failover interface?
A: The failover link should be a dedicated interface, be that a dedicated subinterface or physical interface is up to you.the stateful link can either share the failover link interface or can be configured to use a dedicated interface.
Q: Can user use the management interface as statefull failover on both ASA?
A: Yes, you just need to issue the command no management-only under the mgmt interface. Keep in mind you will have limited speed on this interface as it only supports 10/100. So depending on how much stateful connections you need to replicate this could be a bad thing to do.