Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Manual sync of DAP / GP Config between ASA's?

Hi there,

We have multiple failover clusters that we would like to sync the DAP's/Group Policies/ACL's between.  I understand that there are 2 components that are combined for, say, a DAP -- the config lines, and the dap.xml.

What I would like to do is establish a standard procedure for replicating the policies across each cluster so that our VPN users have the same portal experience wherever they terminate -- obviously some things like that are unique to each cluster like IP's, routing, and crypto maps must stay the same so its not as easy as just doing an ASDM/CLI full backup and restore.

I have successfully done this a couple of times but mostly through trial and error, by using ASDM to export some information and then importing it manually, but I`d like to script this out so doing this via command line would be key.  Any suggestions?  Thanks for any help!


Everyone's tags (2)
New Member

Re: Manual sync of DAP / GP Config between ASA's?

I guess I will post what we are doing so far:

Use a common prefix for all of your DAP-related ACL's -- so for us we use DAP_ like so:

access-list DAP_URL_ORACLE_SHTERM webtype permit url html://

:8080 log default

Grab all of your CLI that relates to "dynamic-access-policy-record" + your DAP acl's.

Then, use the ASDM to backup the DAP and bookmarks only.

We then import the CLI config (ACL + the dynamic-access-policy-record) and restore the ASDM backup, in that order.  We chose not to sync Group Policies, Tunnel / Connection profiles anbd the rest because they differ from gateway to gateway -- but at least this helps to provide a somewhat similar experience for the end users.  You may want to think about syncing customizations and such as well.

New Member

Re: Manual sync of DAP / GP Config between ASA's?

Hi cculligan,

I would like to do the same thing you described.

I understand procedure is:

1)backup dap with asdm

2)copy dynamic-access-policy-record lines

3)paste dynamic-access-policy-record lines on the new ASA

4)restore zip file with dap.xml and with ASDM on the new ASA

Do you confirm?

I don't need to reload anything, do I?