1) The ASA only has a fallback from the external server to LOCAL. Only when the external server is not reachable, the local database is queried. You could configure two tunnel-groups, one with LDAP, one with LOCAL, but that is of course not the same as you want.
2) No, the way of hashing passwords is different between the ASA and AD.
so even worse now that I can't just copy the local db to AD, and I can't decrypt them either, the only way is to make two connection profiles?
so imagine our enterprise has 2000 users using our AnyConnect there is no way for me to switch them to AD without resetting their password?
the only workaround I can think of is designing a webpage to reset their passwords by putting their email, so it can automate the process a lil bit, but this can't avoid them complaining for months that we can't login what happened suddenly?!....