ASA Clientless VPN Config does not automatically save to standby unit in Failover pair

Jeffrey Pomeroy · ‎10-26-2017

Occasionally I would find that changes I knew I had made to clientless SSL VPN smart tunnels were no longer working. When I would look on the ASA I would find that my changes were no longer listed in the running config. This was infrequent enough that I wasn't 100% sure I originally made the changes until today when a relatively recent change disappeared. Testing showed that changes I made on the primary ASA in a failover pair to smart tunnel network list (in this case adding additional IPs for users to access) were not automatically saved to the running config on the standby unit. So anytime a failover occurred any changes made to smart tunnels would revert back to what was on the secondary. When I forced saved to standby the updates appeared.

I am not sure if this is a bug related to our recent update to ASA 9.6(3)1/ASDM 7.8(1) or if it has been going on longer. Anyone else experience this or have any ideas? It's an easy work around but am pretty sure it used to work automatically to synch up the running configs on applying the commands on the primary ASA to the standby. ASAs are 2: 5545X

Rahul Govindan · ‎10-26-2017

That is strange. The ASA should definitely handle sync smart tunnel configuration through failover automatically. The list of how SSLVPN components behave with failover is here:
https://supportforums.cisco.com/t5/security-documents/asa-failover-handling-of-ssl-vpn-application-traffic-and/ta-p/3116245

That being said, I have seen something similar in an earlier 9.5(2) version, where local users created on the active ASA were never synced to standby. Even issuing a 'write standby' (complete pull down from primary to secondary ASA) did not help as certain configuration just did not want to sync between the firewalls. I had to finally do a blind upgrade to get the sync working back. I can only think of this as a bug where the sync is broken between the 2 firewalls. Can you check if the failover status looks ok on both devices? I would also suggest looking at upgrading the devices to the latest interim in the 9.6(3) train after verifying the 9.6 release notes.

Jeffrey Pomeroy · ‎10-27-2017

thanks,

Checking the failover status everything appears ok. The primary is the active ASA as normal.

Checking the Cisco site, the ASAs are already running the latest recommended release version for 9.6 series.

Rahul Govindan · ‎10-27-2017

The latest interim is asa963-17-smp-k8.bin released on 20 Oct 2017. This is hidden in the download page menu under the interim section. Interim releases usually have bug fixes on top of the first image in the train. But you are right, 9.6(3)1 is the recommended release from Cisco. I would recommend opening a TAC case to see if they can debug this issue before you make any changes to your software version. There might be a known bug that that they are aware of.