You want to implement a VPN with an alwayson fail close policy for Cisco AnyConnect clients.
Which of the following does Cisco recommend that you do? (Select the best answer.)

A.
Start with a fail open policy, and implement fail close in phases.

B.
Start with the fail close policy, and implement fail open as necessary.

C.
Implement always-on, and leave the failure policy at the default setting.

D.
Implement always-on with a fail open policy, and enable the Disconnect button.

Explanation:
Cisco recommends that you start with a fail open policy and implement fail close in phases if you want to
implement a virtual private network (VPN) with an always on fail close policy. The always on feature enables
Cisco AnyConnect clients to establish a VPN session automatically whenever the client detects that the host is
connected to an untrusted network. For example, a laptop that is used both on a corporate LAN and for remote
work might be configured to automatically connect to the corporate VPN whenever the laptop is not directly
connected to the corporate LAN. However, any number of problems could prevent the client from actually
establishing a connection to the VPN.
There are two types of connect failure policies that you can enable for Cisco AnyConnect always on clients. The
fail open policy allows the client to complete a connection to the local network for access to the Internet or local
resources. However, because a VPN session has not been established, the security of the AnyConnect device
that is connected to the remote network could be compromised.
The fail closed policy, on the other hand, prevents all network access from the Cisco AnyConnect client except
to local devices and devices that are available by using split tunneling. This extra layer of security could prevent
the user from accessing the Internet and thus could compromise productivity if the user relies on Internet
access to complete work related tasks. Because the fail closed policy is so restrictive, Cisco recommends
implementing it by using a phased approach that includes initially implementing fail open and surveying user
activity for AnyConnect issues that might prevent seamless connections.
There is no need to enable the Disconnect button, because the button is enabled by default when the always on
feature is enabled. The Disconnect button enables users to manually disconnect from a VPN session that has
been automatically established by the AnyConnect client. The Disconnect button can be disabled by an
administrator.
Cisco does not recommend leaving the failure policy at the default setting if you want to implement a fail close
policy. The fail close policy is the default failure policy when connect failure policies are enabled.

Cisco: Configuring VPN Access: Connect Failure Policy for Always on VPNCategory:
VPN