There’s a default behavior on Cisco ASA firewall that expires SVC and WebVPN connections in case of failover event. When failover happens, the ASA discards TCP client packets, waiting for them to re-stablish the connections. This causes VPN session disconnections due to timeout.

To avoid this we have to tell the ASA to reply the clients. There are 2 commands on global config mode that are service resetoutside and service resetinbound. With them the ASA will send TCP-RST packets tothe clients, forcing them to re-stablish connections before the timeout occurs.

Both of them have another use though. To send TCP-RST to hosts trying to stabish an initial connection to the ASA if it is not going to allow the packet through.

ciscoasa(config)# service resetinbound
ciscoasa(config)# service resetoutside