upgradation of CISCO ASA that have Anyconnect vpn configuration

vinay singh · ‎07-21-2019

ASA active/standby Upgrade from 9.8.2 to 9.12.1, Any-connect VPN are also configured and running on Firewall.

we have upgrade standby ASA in 9.12.1 and active ASA still running in 9.8.2, after upgrade Any-Connect VPN sessionDB are not sync from Active ASA to standby ASA, Any-connect VPN sessionDB are showing on Active ASA but VPN SessionDb not showing on Standby.

i have few query below.

when we do failover to upgrade primary ASA then Any-Connect VPN user session will impact ?

CISCO says Zero Downtime, but here downtime would be come for Any-connect VPN users ?

is there any option for manually sync database in ASA ?

Richard Burts · ‎07-21-2019

As long as the ASAs are running different versions of code I do not believe that there is any way (neither automatic nor manual) to sync their data bases. I have done upgrades like this and they were mostly pretty transparent. I do not have an explanation of what happens with AnyConnect in this upgrade but believe it is pretty low impact. To be safe you might want to schedule for a period where use is low or schedule a maintenance window.

HTH

Rick

HTH

Rick

Marvin Rhoads · ‎07-21-2019

The Anyconnect remote access VPN sessions will switch over to the newly active unit when you failover. It does not cause any noticeable downtime for the end user sessions. I have done dozens of such upgrades and it has always worked fine.

If you have further concern you can always open a proactive TAC case and have an engineer on the line with your when you perform the failover.