ASA Failover handling of SSL VPN application traffic and by znu21902

VIEWS: 78 PAGES: 2

									ASA Failover handling of SSL VPN
application traffic and configurations

Note: On the ASA VPN is only supported in Active/Standby mode, and not in Firewall
Active/Active mode.

This is is how the ASA handles SSL VPN traffic and components in an Active/Standby
configuration:




I. ASA Active/Standby failover handling of SSL VPN application traffic

Q. How does the ASA Active/Standby failover handle SSL VPN application traffic ?

A. The following SSL VPN application traffic is NOT failed-over :

* Smart Tunnels traffic * Port Forwarding traffic * Plugins traffic * Java Applets traffic * IPv6 clientless or AnyConnect sessions traffi

Note: Currently the ASA guarantees VPN session failover, not necessarity application
failover, which depends a great deal of the application redundandy capability itself.

The enhancement request tracking the capability to improve application/persitence in a
failover is (CSCsq39156).




II. ASA Active/Standby failover handling of SSL VPN components configurations

Q. How does the ASA Active/Standby failover handle SSL VPN components configuration ?

A. The following SSL VPN component configurations are automatically failed-over :

*Smart-Tunnel lists *Port-Forwarding lists *Imported plugins- stored in hidden webvpn-cache/directory *Imported BookMarks - store
For example, if you import a Webcontent logo into the active ASA, the logo is automatically
replicated to the standby ASA.



Note: Failover does not replicate the following files: *1) AnyConnect image(s) *2) CSD image




Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                            1
ASA Failover handling of SSL VPN application traffic and configurations


For example , if you upgrade the active ASA from AnyConnect version 2.2 to version 2.3,
the failover function will not replicate this new AnyConnect 2.3 package. You must manually
place the AnyConnect 2.3 package using standard methods (ftp, http, tftp,etc).




Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                            2

								
To top