Showing results for 
Search instead for 
Did you mean: 


Manual sync of DAP / GP Config between ASA's?

Hi there,

We have multiple failover clusters that we would like to sync the DAP's/Group Policies/ACL's between.  I understand that there are 2 components that are combined for, say, a DAP -- the config lines, and the dap.xml.

What I would like to do is establish a standard procedure for replicating the policies across each cluster so that our VPN users have the same portal experience wherever they terminate -- obviously some things like that are unique to each cluster like IP's, routing, and crypto maps must stay the same so its not as easy as just doing an ASDM/CLI full backup and restore.

I have successfully done this a couple of times but mostly through trial and error, by using ASDM to export some information and then importing it manually, but I`d like to script this out so doing this via command line would be key.  Any suggestions?  Thanks for any help!


Everyone's tags (2)

Re: Manual sync of DAP / GP Config between ASA's?

I guess I will post what we are doing so far:

Use a common prefix for all of your DAP-related ACL's -- so for us we use DAP_ like so:

access-list DAP_URL_ORACLE_SHTERM webtype permit url html://

:8080 log default

Grab all of your CLI that relates to "dynamic-access-policy-record" + your DAP acl's.

Then, use the ASDM to backup the DAP and bookmarks only.

We then import the CLI config (ACL + the dynamic-access-policy-record) and restore the ASDM backup, in that order.  We chose not to sync Group Policies, Tunnel / Connection profiles anbd the rest because they differ from gateway to gateway -- but at least this helps to provide a somewhat similar experience for the end users.  You may want to think about syncing customizations and such as well.


Re: Manual sync of DAP / GP Config between ASA's?

Hi cculligan,

I would like to do the same thing you described.

I understand procedure is:

1)backup dap with asdm

2)copy dynamic-access-policy-record lines

3)paste dynamic-access-policy-record lines on the new ASA

4)restore zip file with dap.xml and with ASDM on the new ASA

Do you confirm?

I don't need to reload anything, do I?