ASA active/standby Upgrade from 9.8.2 to 9.12.1, Any-connect VPN are also configured and running on Firewall.
we have upgrade standby ASA in 9.12.1 and active ASA still running in 9.8.2, after upgrade Any-Connect VPN sessionDB are not sync from Active ASA to standby ASA, Any-connect VPN sessionDB are showing on Active ASA but VPN SessionDb not showing on Standby.
i have few query below.
when we do failover to upgrade primary ASA then Any-Connect VPN user session will impact ?
CISCO says Zero Downtime, but here downtime would be come for Any-connect VPN users ?
is there any option for manually sync database in ASA ?
As long as the ASAs are running different versions of code I do not believe that there is any way (neither automatic nor manual) to sync their data bases. I have done upgrades like this and they were mostly pretty transparent. I do not have an explanation of what happens with AnyConnect in this upgrade but believe it is pretty low impact. To be safe you might want to schedule for a period where use is low or schedule a maintenance window.
The Anyconnect remote access VPN sessions will switch over to the newly active unit when you failover. It does not cause any noticeable downtime for the end user sessions. I have done dozens of such upgrades and it has always worked fine.
If you have further concern you can always open a proactive TAC case and have an engineer on the line with your when you perform the failover.