Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6777
Views
105
Helpful
31
Replies

Ask the Expert: Configuring and Troubleshooting remote access SSL VPN on Cisco Adaptive Security Appliance

Lisa Latour
Level 6
Level 6

‎04-22-2015 11:30 AM - edited ‎03-11-2019 10:49 PM

This an opportunity to learn about Cisco SSL VPN  feature, clientless VPN and Anyconnect remote access client with Mohammad Alhyari.

Monday, April 27th, 2015  to Friday, May 8th, 2015

Featured Expert

Cisco Expert

Mohammad Alhyari is a customer support engineer at the Cisco Technical assistance center in Krakow, Poland. CCIE security #35093 with over 5 years of experience in the security team. Mohammed's area of expertise is security, including VPN, SSL VPN, and IPSEC VPN on the Cisco IOS and Cisco ASA platforms.

 

Find other  https://supportforums.cisco.com/expert-corner/events.

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

 

2 people had this problem
Labels:
0 Helpful
31 Replies 31

Mohammad Alhyari
Cisco Employee
Cisco Employee
In response to Flavio Vettori

‎05-08-2015 03:12 AM

Hi Flavio ,

Thanks for sharing your problem here . I really apologize that i can't recommend a version for you as I'm not aware of you network needs and infrastructure . However if you look at the release notes for 9.4 you can see the list of open/resolved bugs and the new features here:

 http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html#pgfId-120956

 

For your question about the DAP policies configuration  . It saved into two places :

DAP.xml file  : contains selection attributes . (stored in the flash)

Dynamic access policy records in the config that contains the authorization attributes . and you can see it in the conig of the ASA .

Here is a procedure you can use to copy the dap from one ASA to another ASA :

1) save the production ASA config and dap.xml to a remote ftp/tftp server .

within ASDM you can select :

Tools > backup config --> SSL vpn config -- > check DAP  // this will save the dap.xml file 

2)On the new ASA :

Delete the dap.xml if exists .

Use this command to clear the DAP records :

clear cofnigure dynamic-access-policy-records 

 

3) copy the original dap.xml file to the new ASA .

4)copy the running config from the original ASA to the new ASA (specially the dynamic-access-policy-record part).

5)Enable the DAP on the new ASA :

dynamic-access-policy-config activate"

6) Close ASDM and open it again .

 

HTH .

 

Joshuskarki
Level 1
Level 1

‎11-10-2015 09:41 PM

Hi Mohammad, first of all, I would like to thank you for taking your time to answer the question. 

My question is more about design or best practices for AnyConnect VPN deployment. Our company recently bought 3 5545-x with Apex license installed on them. The plane is to install them in 3 different (geography) locations, one on each site.

Business requirement is - if the closest VPN gateway fails for some reasons, client seamlessly or at lest with minimum traffic interruption connect to the next nearest available VPN gateway. So is OGS (Optimal Gateway Selection) the only option we are looking to do so or is there any other better suggestions?

Thanks,

Josh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card