ASA - AnyConnect Management VPN Tunnel
When configuring an ASA to operate with AnyConnect clients, it is possible to create what is known as a Management VPN Tunnel.
This VPN tunnel ensures connectivity to the corporate network whenever the client is powered up, and not just when a VPN connection is established by the end-user. Below you can see the state of the Management VPN Tunnel on an AnyConnect client. Notice that the state is Connected even though the State under the Connection Information heading is Disconnected.
This management tunnel allows administrators to have management access to AnyConnect devices without user intervention. This facilitates things like patch management, upgrades, and some endpoint OS login scripts.
Links: