cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1780
Views
0
Helpful
3
Replies
Highlighted
Beginner

ASA 8.3 - WebVPN and Failover (Act/Stby)

In older version of code WebVPN was not a supported feature on the ASA, however in 8.x and specifically 8.3 the rel notes no longer list it as an unsupported feature - does that mean WebVPN is fully supported by failover (Act/Stby) in 8.3 ?

I can see on my 8.3 Act/Stby failover pair the "CLI" based WebVPN config getting replicated as you'd expect but I can not see the file based XML config (used in 8.x train) for things such as portal customisation or bookmarks on the standby ASA.

I'm trying to view the WebVPN file based XML config using ASDM connected to the standby ASA and it eventualy times out when trying to browse portal customisation or bookmarks.

Does the WebVPN file based XML config get replicated in a failover pair?

or if not how do I get that content to the box?

thanks,

Sez

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

As per the following document, it states that:

"In  Version 8.0 and later, some configuration elements for WebVPN (such as  bookmarks and customization) use the VPN failover subsystem, which is  part of Stateful Failover. You must use Stateful Failover to synchronize  these elements between the members of the failover pair. Stateless  (regular) failover is not recommended for WebVPN."

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/ha_overview.html#wp1078936

If you have enabled stateful failover, and the bookmarks and portal customization for webvpn is still not replicated to the standby, I would suggest that you open a TAC case to further investigate the issue.

View solution in original post

3 REPLIES 3
Highlighted
Cisco Employee

As per the following document, it states that:

"In  Version 8.0 and later, some configuration elements for WebVPN (such as  bookmarks and customization) use the VPN failover subsystem, which is  part of Stateful Failover. You must use Stateful Failover to synchronize  these elements between the members of the failover pair. Stateless  (regular) failover is not recommended for WebVPN."

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/ha_overview.html#wp1078936

If you have enabled stateful failover, and the bookmarks and portal customization for webvpn is still not replicated to the standby, I would suggest that you open a TAC case to further investigate the issue.

View solution in original post

Highlighted

Hi Jennifer,

You are right the listed customisations do get transferred across state interface ina  failover pair.

I think my issue was one to do with ASDM accessing the content on a secondary, after a failover and it is active and the primary is off-line.

The failed over WebVPN functionality works including the customisations but ASDM wouldn't let me get to the customisation xml content on the secondary to view it

rgds

Highlighted
Beginner

I'm building out the same thing here. Here's what I've noticed...

Yes... your .xml client profile DOES get replicated but that's it. Along with the webvpn content, another thing that doesn't get replicated is your client packages. Why is this a big deal? When it fails over and there's no package available, Webvpn stops working!!! I had to have that package on there. In order to get that package on there, I had to failover to the secondary, upload it, re-add the package definition (svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1), and then failback.